Information Processing Device, Recovery Device, Program and Recovery Method

ABSTRACT

The information processing device which recovers a domain developing a fault caused by added application and device driver while maintaining security and reliability includes a plurality of processors, wherein the plurality of processors form a plurality of domains according to processing contents to be executed, and the processors in different domains communicate with each other through a communication unit, and which further includes a recovery unit for executing, for a domain developing a fault, failure recovery processing based on a failure recovery request notified by the domain and a recovery condition set in advance for each domain.

TECHNICAL FIELD

The present invention relates to an information processing device formedof multiprocessors and, more particularly, an information processingdevice comprising a domain having a processor capable of executingadditional processing externally obtained, a recovery device, a programand a recovery method.

BACKGROUND ART

In an information communication terminal device such as a mobile phone,basic processing for realizing a basic function of the terminal device(e.g. a call processing function, a browsing function for Internetaccess, an electronic mailing function, a screen control function andthe like) is commonly installed together with an operating system inadvance and other additional processing (program) than theabove-described basic processing is downloaded into the terminal devicefrom the outside such as a network by user operation or the like andexecuted for installation. When the downloaded additional processing isexecuted, however, an operating system, basis processing and the likemight be subjected to an attack by the additional processing.

FIG. 42 is a diagram schematically showing one example of a typicalstructure of an information communication terminal device which executesdownloaded additional processing. Illustrated schematically in FIG. 42is a block diagram of a well-known typical device structure. In thefollowing, description will be made of a case where additionalprocessing is an application program or a device driver (software whichmakes an access request to a device and executes processing ofinterruption from a device and which is also referred to as “I/Odriver”) provided by a native code (a binary code compiled or subjectedto assembly processing on a provider side).

In the structure shown in FIG. 42, when an additional processing 23 isdownloaded and executed (in a case where the additional processing 23 isa device driver, when the processing is incorporated into an operatingsystem and executed), a basic processing 22, an operating system (called“OS”) 21, a CPU (Control Processing Unit) 10, a memory 50 and aninput/output device (I/O) 60 might be directly attacked by theadditional processing 23. The reason is that no means is mounted forrestricting attack to the basic processing 22, the CPU 10, the OS 21,the memory 50 or the input/output device (I/O) from the additionalprocessing 23 to realize safe execution environments. More specifically,in a case of the structure shown in FIG. 42, the additional processing23 is assumed to be capable of arbitrarily issuing a processing requestto the basic processing 22, a processing request to the OS 21 andprocessing requests to the CPU 10, the memory 50 and the input/outputdevice 60 and be allowed to freely access each resource of hardware andsoftware. As a result, the malicious additional processing 23 (oradditional processing affected by virus or the like even withoutmalicious intent) is allowed to freely attack the defenseless OS 21,basic processing 22 and the like.

There is a case where an additional device driver is incorporated in akernel of the OS 21 as a resident driver, for example, in which casereliability of the device driver will directly affect reliability andperformance of the OS 21. This is clear also from properties of a devicedriver that the device driver includes processing setting to a deviceand interruption service to be started by a scheduler at an interruptionfrom a device and that execution time of the interruption service(during which time re-scheduling is inhibited) is limited to a timesignificantly short because of processing performance (e.g. less than amillisecond). In other words, if an additional device driver is a driverwith malicious intent, processing performance of an informationprocessing device could be deteriorated with ease. This is also the casewith a loadable driver (a driver selectively loaded or unloaded to/frommemory) not a resident driver. Thus, when a driver with malicious intentinstalled as additional processing attacks, the kernel of the OS 21 willbe directly attacked to be fatal (goes substantially inoperable).

Under these circumstances, currently proposed are various kinds ofdesign architectures for protecting basic processing and the like bylimiting execution environments of a downloaded additional processing.In the following, outlines will be given with respect to several typicalexamples.

FIG. 43 is a diagram showing one typical example of a structure whichpresents environments for protecting execution of additional processingby software. In the example shown in FIG. 43, the additional processing23 by native codes is designed to be executed on a virtual machine 24.As an example, assuming that the additional processing 23 is describedin JAVA® byte codes, a downloaded JAVA® byte code will be executed onJVM (JAVA® virtual machine) forming the virtual machine 24.

In such a structure, the basic processing 22, the OS 21 and the like areseparated from the additional processing 23 in terms of software to havetheir securities ensured. More specifically, the additional processing23 accesses the OS 21, the CPU 10, the memory 50, the I/O 60 and thelike only through the virtual machine 24. The virtual machine 24 is notordinarily authorized to do execution in a kernel mode of the OS 21(e.g. execution of a privileged instruction) or the like and therefore,the additional processing 23 is not allowed to directly operate the OS21. In addition, since the virtual machine 24 in general executes aninstruction code of the additional processing 23 in an interpretermethod, monitoring adequacy of instructions/operation of the additionalprocessing 23 is easy and by, for example, limiting unauthorized access(e.g. output of multiple data on a network or a screen and the like) tohardware resources and software resources from the additional processing23, the virtual machine 24 is allowed to serve as a protective filter ora protective barrier, or a protective gate in terms of software. Thus,the basic processing 22, the OS 21 and the like are separated from theadditional processing 23 through the virtual machine 24 in terms ofsoftware.

The virtual machine system shown in FIG. 43, however, has the followingproblems.

When the downloaded additional processing 23 attacks the virtual machine24 through a hole (e.g. security hole) or other, system security will bedamaged.

In addition, since the virtual machine 24 such as a JAVA® virtualmachine is in general adopts an interpreter method of interpreting andexecuting instruction codes such as JAVA® byte codes one instruction byone instruction, its execution rate is low.

Furthermore, although the virtual machine 24 makes a processing requestto the OS 21 by issuing a system call at the time of execution of theadditional processing 23, because an overhead of the system call islarge, processing execution is slow. In the virtual machine 24, forexample, one or a plurality of system calls corresponding to oneinstruction of the additional processing 23 are issued. A series of suchcontrol is executed to have a large overhead as context switching from auser mode to a system mode by system call issuance, decoding of packetdata of a system call at a system call entry unit of the OS 21,justification check (error detection processing) of a parameter and thelike, distribution (dispatch) of processing and furthermore, transfer ofa processing result at the time of processing end, context switching,switching from a kernel space to a user space and the like.

Then, in a case of the structure shown in FIG. 43, it is not possible toincorporate a device driver as the additional processing 23 into the OS21. As is clear from FIG. 43, the virtual machine 24 locates in theupper layer above the OS 21. With the virtual machine 24 structured tomake a processing request to the OS 21 based on the codes of theadditional processing 23, receive a processing result from the OS 21 andreturn the same to the additional processing 23 when necessary,incorporating additional processing as a device driver into the OS 21requires incorporation of a virtual machine as well which controlsexecution of the additional processing into the OS 21, so that such astructure is in principle impossible in such the virtual machine systemshown in FIG. 43.

Known as another security management system by software is such astructure as shown in FIG. 44, for example. As shown in FIG. 44, theadditional processing 23 is downloaded into a terminal (informationprocessing device) with a certificate 25 attached for certifying that itcan be trusted. The terminal side is structured to check the contents ofthe attached certificate 25 and when authenticating that the attachedcertificate 25 is a proper certificate, allow installation and executionof the downloaded additional processing 23. As the certificate 25,digital signing (ITU-T XS09) may be used. With an organization to becertified and its public key, and digital signing of CA (certificationauthority) (encipherment of an organization to be certified or a publickey by a secret key of CA), for example, stored in the certificate 25,when authenticating the certificate, decode a part of CA digital signingby the public key of CA to check whether the decoded contents coincidewith the contents of the data of the certificate and determine that thedata of the certificate is reliable when they coincide with each other.Alternatively, the certificate 25 may be an arbitrary certificate aslong as it certifies a true vender. Driver signing of a device driver ismounted also on Windows® 2000, for example.

In a case of the system shown in FIG. 44, the additional processing 23can be provided by a native code, which enables higher-speed executionthan in the virtual machine system shown in FIG. 43. Execution of anapplication and a device driver is also possible as the additionalprocessing 23. System reliability, however, wholly depends on securityof the additional processing 23. In other words, when the additionalprocessing 23 has a problem which can not be sensed in advance, thesystem might be fatally damaged.

FIG. 45 is a diagram showing a structure of a processor which executessecurity management by hardware. With reference to FIG. 45, a CPU 11 hasa secure mode 12 and a non-secure mode 13, and the downloaded additionalprocessing 23 and an OS 21B corresponding to the additional processing23 are mainly executed in the non-secure mode 13. Then, a memorymanagement unit 14 manages a region (address space) of memory executedin the non-secure mode 13 separately from a region of memory accessed inthe secure mode 12, so that an access to a memory region in the securemode 12 from the non-secure mode 13 is inhibited. In other words, thememory management unit 14 executes memory access control from thenon-secure mode 13 and control for inhibiting an access to a memoryregion in the secure mode 12 from the non-secure mode 13.

Thus, in the structure shown in FIG. 45, the basic processing 22 isexecuted in the secure mode 12 to virtually separate a CPU whichexecutes the additional processing 23 and another CPU, thereby improvingsecurity.

The secure mode and the non-secure mode are, however, executed on a timedivision basis on the CPU and no system operation in the secure mode isexecuted unless returned from the non-secure mode.

In addition, since the non-secure mode and the secure mode are processedon a time division basis, such overhead as mode shift is generated atits switching.

Furthermore, when the additional processing 23 is incorporated as adevice driver into the OS 21B in the non-secure mode, if the driver hasmalicious intent, return to the secure mode might be disabled to causefatal damage to the system.

Referred to as a processor with a separation region provided in systemmemory and comprising a normal execution mode and a separated executionmode similarly to the structure shown in FIG. 45 is recitation ofJapanese Translation of PCT International Application No. 2004-50666(Literature 1). The device recited in Literature 1, with the normalexecution mode being a mode operable in an ordinary operation modewithout a security function provided to the processor in non-secureenvironments, that is, in the separated execution mode, is structured toinhibit an access to a separated region from the normal execution modeand support execution of a predetermined separation instruction in theseparated execution mode. Even with such a structure, because the normalexecution mode and the separated execution mode are processed on a timedivision basis, such overhead is generated as mode shift at itsswitching.

Also disclosed is a structure comprising two processor units and aswitch unit, with one processor unit connected to a public datacommunication network and other processor unit not connected to thepublic data communication network but functioning as a data securityunit (see Japanese Translation of PCT International Application No.2002-542537 (see Literature 2)). The system recited in Literature 2 hasthe processor unit connected to the public data communication networkand the data security unit separated by a switch, thereby ensuringsecurity of the data security unit. The device, however, takes into noconsideration a countermeasure against an attack to the processor unitconnected to the public data communication network by the execution ofthe above-described additional processing (additional processingdownloaded from a network or the like). While the data security unit issafe, the processor unit connected to the public data communicationnetwork fails to have a security mechanism effective to an attack byadditional processing. For realizing security management in theprocessor unit connected to the public data communication network,therefore, it is necessary to adopt any of the above-described systems.

Furthermore, recited in Japanese Translation of PCT InternationalApplication No. 2002-533791 (Literature 3) is the system simultaneouslyexecuting an execution program or an operating system separated on aprocessor, in which for protecting false program execution environments,a memory space used only by a first program is set while the firstprogram is executed, communication between the first program and acomputer execution environment is executed through a single linkincluding use of a shared memory space, dedicated interruption or adedicated I/O port, and the first program has its access to resources ona processor restricted excluding a set memory space and a single linkunder a limited execution environment. In a case of the method recitedin Literature 3, since the first program has its access to resources ona processor restricted excluding a set memory space and a single link(use of a shared memory space, dedicated interruption or a dedicated I/Oport), the first program can not be used as a device driver andtherefore can not be applied to additional processing including a devicedriver.

As publication disclosing a technique related to an inter-processorcommunication unit used in the present invention which will be describedlater, Japanese Patent Laying-Open No. H6-332864 (Literature 4)discloses the system for communication between CPUs in a multiprocessorsystem. Recited in Literature 4 as its related art is a structure inwhich at the execution of communication between CPUs by a multiprocessorby using a shared memory, when generating an interruption to a CPU1, aCPU2 writes communication information into an inter-CPU communicationinformation write region for its own use in a fixed region for the CPU1to generate an interruption and when an interruption occurs, the CPU1accesses an inter-CPU communication information write regioncorresponding to the CPU2 to execute interruption processing and furtherrecited is the invention intended to reduce the number of accesses of ashared memory.

Japanese Patent Laying-Open No. 2001-154999 (Literature 5) proposes theparallel computation system in which a processor analysis circuitdetects a failure at the start-up of its own processor to ask a serviceprocessor for recovery and the service processor executes processing forthe recovery.

Literature 1: Japanese Translation of PCT International Application No.2004-500666.

Literature 2: Japanese Translation of PCT International Application No.2002-542537.

Literature 3: Japanese Translation of PCT

International Application No. 2002-533791.

Literature 4: Japanese Patent Laying-Open No. H6-332864.

Literature 5: Japanese Patent Laying-Open No. 2001-154999.

As described above, related devices with a countermeasure for ensuringsecurity against an attack from downloaded malicious or false additionalprocessing in practice have various kinds of problems remaining such asa problem in processing performance, a problem that execution of adevice driver is impossible and a problem in ensuring security. Inparticular, as shown in FIG. 43 and FIG. 45, related to an informationprocessing device, a design architecture which disables downloading ofan additional device driver from outside the device shows that additionof a device and addition of a function are substantially impossible andin this term, has limited availability.

On the other hand, since when operating an additional device driver in akernel mode, for example, reliability of an OS and a system is directlyaffected as described above, drastic improvement in ensuring securityand in reliability is demanded.

Also recovery processing in a related parallel computation system whoseone example is the technique disclosed in Literature 5 has a problemthat processing will be executed in response to such a request withmalicious intent as a notified recovery request including virus.

An object of the present invention is therefore to provide aninformation processing device, a recovery device, a program and arecovery method which enable a domain developing a fault due to addedapplication program and device driver to be recovered with its securityand reliability ensured.

SUMMARY

According to a first exemplary aspect of the invention, an informationprocessing device, comprising a plurality of processors, wherein theplurality of processors form a plurality of domains according toprocessing contents to be executed, and the processors in differentdomains communicate with each other through a communication unit, andwhich further includes a recovery unit for executing, for a domaindeveloping a fault, failure recovery processing based on a failurerecovery request notified by the domain and a recovery condition set inadvance for each the domain.

According to a second exemplary aspect of the invention, a recoverydevice for recovering, on an information processing device having aplurality of domains formed of a plurality of processors, a failureoccurring on the domain, which comprises with the plurality ofprocessors forming a plurality of domains according to processingcontents to be executed, a recovery unit for executing, for a domaindeveloping a fault, failure recovery processing based on a failurerecovery request notified by the domain and a recovery condition set inadvance for each the domain.

According to a third exemplary aspect of the invention, a programexecuted on an information processing device as a computer processingdevice formed of a plurality of processors to realize recovery of afunction of the information processing device, which making theinformation processing device execute with the plurality of processorsforming a plurality of domains according to processing contents to beexecuted,

a communication function of causing the processors in different domainsto communicate with each other, and

a recovery function of executing, for a domain developing a fault,failure recovery processing based on a failure recovery request notifiedby the domain and a recovery condition set in advance for each thedomain.

According to a fourth exemplary aspect of the invention, a recoverymethod of recovering a processing function of an information processingdevice formed of a plurality of processors, includes

with the plurality of processors forming a plurality of domainsaccording to processing contents to be executed, and

with the processors in different domains communicating by acommunication step,

a recovery step of executing, by a recovery unit on the informationprocessing device, failure recovery processing for a domain developing afault based on a failure recovery request notified by the domain and arecovery condition set in advance for each the domain.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing a hardware structure of an informationprocessing device of a first example of the present invention;

FIG. 2 is a diagram showing a structure of an inter-processorcommunication unit of the first example;

FIG. 3 is a diagram for use in explaining operation of theinter-processor communication unit of the first example;

FIG. 4 is a diagram showing a structure of an access control unit of thefirst example;

FIG. 5 is a diagram showing an example of access allowance data of theaccess control unit of the first example;

FIG. 6 is a diagram for use in explaining operation of the accesscontrol unit of the first example;

FIG. 7 is a diagram showing another structure of an access control unit30 of the first example;

FIG. 8 is a diagram showing a further structure of the access controlunit 30 of the first example;

FIG. 9 is a diagram showing a hardware structure of an informationprocessing device of a second example of the present invention;

FIG. 10 is a diagram showing a hardware structure of an informationprocessing device of a third example of the present invention;

FIG. 11 is a diagram showing a hardware structure of a variation exampleof the information processing device of the third example;

FIG. 12 is a diagram showing a software structure of the informationprocessing device of the third example;

FIG. 13 is a diagram for use in explaining operation of the thirdexample;

FIG. 14 is a diagram for use in explaining operation of the thirdexample;

FIG. 15 is a diagram for use in explaining operation of the thirdexample;

FIG. 16 is a diagram for use in explaining operation of the thirdexample;

FIG. 17 is a diagram for use in explaining operation of the thirdexample;

FIG. 18 is a diagram for use in explaining operation of the thirdexample;

FIG. 19 is a diagram for use in explaining operation of the thirdexample;

FIG. 20 is a diagram for use in explaining operation of the thirdexample;

FIG. 21 is a diagram showing a structure of an information processingdevice of a fourth example of the present invention;

FIG. 22 is a diagram for use in explaining operation of the fourthexample;

FIG. 23 is a diagram for use in explaining operation of the fourthexample;

FIG. 24 is a diagram showing a structure of an information processingdevice according to a first exemplary embodiment of the presentinvention;

FIG. 25 is a diagram showing one example of reliability set in the firstexemplary embodiment of the present invention;

FIG. 26 is a diagram showing a structure of a domain stop recovery unit400 of the information processing device according to the firstexemplary embodiment of the present invention;

FIG. 27 is a diagram showing one example of a correspondencerelationship between contents of communication processing (processingcontents) and a layered structure of communication at the informationprocessing device according to the first exemplary embodiment of thepresent invention;

FIG. 28 is a block diagram showing one example of a hardware structureof the information processing device according to the first exemplaryembodiment of the present invention;

FIG. 29 is a diagram for use in explaining one example of operation ofthe information processing device according to the first exemplaryembodiment of the present invention;

FIG. 30 is a diagram for use in explaining one example of operation ofthe information processing device according to the first exemplaryembodiment of the present invention;

FIG. 31 is a diagram for use in explaining one example of operation ofthe information processing device according to the first exemplaryembodiment of the present invention;

FIG. 32 is a diagram for use in explaining one example of operation ofthe information processing device according to the first exemplaryembodiment of the present invention;

FIG. 33 is a diagram for use in explaining one example of operation ofthe information processing device according to the first exemplaryembodiment of the present invention;

FIG. 34 is a diagram showing a structure of a domain stop recovery unit400 of an information processing device according to a second exemplaryembodiment of the present invention;

FIG. 35 is a diagram for use in explaining one example of operation ofthe information processing device according to the second exemplaryembodiment of the present invention;

FIG. 36 is a diagram for use in explaining one example of operation ofthe information processing device according to the second exemplaryembodiment of the present invention;

FIG. 37 is a diagram for use in explaining one example of operation ofthe information processing device according to the second exemplaryembodiment of the present invention;

FIG. 38 is a diagram showing a structure of a domain stop recovery unit400 of an information processing device according to a third exemplaryembodiment of the present invention;

FIG. 39 is a diagram showing one example of contents of a recoveryprocessing allowance data 404 a of the information processing deviceaccording to the third exemplary embodiment of the present invention;

FIG. 40 is a diagram for use in explaining one example of operation of arecovery processing control unit 404 of the information processingdevice according to the third exemplary embodiment of the presentinvention;

FIG. 41 is a diagram showing a structure of a domain stop recovery unit400 of an information processing device according to a fourth exemplaryembodiment of the present invention;

FIG. 42 is a diagram showing one example of a related system structure;

FIG. 43 is a diagram showing another example of a related systemstructure;

FIG. 44 is a diagram showing a further example of a related systemstructure; and

FIG. 45 is a diagram showing a still further example of a related systemstructure.

EXEMPLARY EMBODIMENT

First, a basic structure of an information processing device to whichthe present invention is applied will be described.

According to a first example of the basic structure, in an informationprocessing device having a multi-CPU structure including a plurality ofCPUs, the plurality of CPUs are divided into a plurality of domains(e.g. basic domain, trusted domain, untrusted domain and the like)according to a security level of a program (processing) to be executed.

Basic domain is assumed to be a domain which executes processing whosesecurity level is higher than a fixed level, a trusted domain is assumedto be a domain having at least one processing whose security level islower than that of processing executed by a basic domain, and anuntrusted domain is assumed to be a domain having at least oneprocessing whose security level is lower than that of processingexecuted by a trusted domain.

Alternatively, the basic domain may have each execution processing whosefixed security level is the same as a security level of executionprocessing in the trusted domain or higher than a security level ofexecution processing in the trusted domain and includes at least oneprocessing whose security level is higher as a set of executionprocessings of the basic domain.

The trusted domain may have each execution processing whose fixedsecurity level is the same as a security level of execution processingin the untrusted domain or higher than a security level of executionprocessing in the untrusted domain and includes at least one processingwhose security level is higher as a set of execution processings of eachdomain. In this case, the basic domain executes processing whosesecurity level is relatively higher than that of the trusted domain andthe trusted domain executes processing whose security level isrelatively higher than that of the untrusted domain.

Each domain is structured to include one or a plurality of CPUs andexecute communication of CPU between different domains through aninter-processor communication unit (e.g. 40 in FIG. 1), in which when aCPU belonging to a domain executing low security processing such asadditional processing accesses memory and an input/output device of adomain executing high security processing, to a relevant access request,access allowance/non-allowance is determined by an access control unit(e.g. 30 in FIG. 1) to make only an allowed access.

Thus structured first example ensures security of a high security domainby executing downloaded additional processing (including a device driverand an application program) by a CPU on a lower security domain sidehaving other hardware structure than that of the high security domain.

Downloading here includes downloading to an information device via notonly a data communication network provided by a carrier of a mobilephone and a common radio LAN network but also such connection as anaccumulation type medium whose representative is an SD card and a wirecommunication medium whose representative is USB.

Then, according to the first example, synchronization and cooperativeoperation between CPUs of a high security domain and a low securitydomain are enabled while guaranteeing security by not separatelycontrolling CPUs of the high security domain and the low security domainby a switch or the like but connecting them through an inter-processorcommunication unit which enables communication with each other.

The inter-processor communication unit (40 in FIG. 1) is structured totransfer data (command) from a CPU of one domain to a CPU of otherdomain and not structured to make a direct attack to a CPU of otherdomain and the like. For example, even when trying to cause degradationof CPU performance of a high security domain, buffer overflow and thelike by continuously transmitting a large volume of data from a CPU on alow security domain side to a CPU on a high security domain side,relevant data is suppressed by the inter-processor communication unit toprevent transmission to the CPU of the high security domain.

Also in the first example, the access control unit (30 in FIG. 1)executes access control of allowing a CPU on a low security domain sideonly an access of a form allowed in advance to a memory space, aninput/output device and the like allowed in advance. This enables anattack to a high security domain from a downloaded additional processingto be prevented. Alternatively, by the control of a band, a flow and thelike by the access control unit as required, various kinds of attacksfrom a downloaded additional processing to a high security domain can beprevented. Description will be made along the first example in thefollowing.

FIG. 1 is a diagram showing a structure of the first example. Withreference to FIG. 1, provided are a group 10A of CPUs which execute asoftware 20A including a basic processing 22 and an OS 21A, a group 10Bof CPUs which execute a software 20B including an additional processing23 and an additional processing compatible OS 21B, inter-processorcommunication units 401 and 402 which execute communication between theCPU groups 10A and 10B, and an access control unit 30 which controls anaccess by the CPU group 10B to a memory 50 and/or an input/output device(I/O) 60. Although shown in FIG. 1 are the CPU group 10A and the CPUgroup 10B each formed of a plurality (three) of CPUs, it is apparentthat each group can be formed of one CPU. It is also apparent that inthe CPU group 10A and the CPU group 10B, the number of CPUs in eachgroup needs not to be the same. In the following, the CPU group 10A andthe CPU group 10B will be simply referred to as the CPU 10A and the CPU10B. In the first example, the additional processing 23 to be downloadedis formed of a native code of a binary format. It may have a binaryformat obtained by subjecting a downloaded source program to compilingprocessing (assembling processing).

According to the first example, with the CPU 10B executing theadditional processing 23 provided separately from the CPU 10A executingthe basic processing 22, the CPU 10A and the CPU 10B which are operableindependently realize high-speed execution while improving security,thereby enabling execution of an application program and a devicedriver. It is apparent that possible is a structure in which with theCPU 10A executing the basic processing 22 as a master and the CPU 10Bexecuting the additional processing 23 as a slave, the slave sideoperates under the supervision of the master. In this case, for example,execution of the additional processing 23 by the CPU 10B is realized byreceiving a command from the CPU 10A through the inter-processorcommunication unit 402.

The inter-processor communication units 401 and 402 control datatransmission and reception between the CPU 10A and the CPU 10B. Beingdisposed independently, the CPUs 10A and 10B are allowed to executetheir processing (programs) in parallel to each other, while synchronousprocessing and cooperative (highlighting) processing between the CPU 10Aand the CPU 10B through the inter-processor communication units 401 and402 are enabled as well. As an example, when a user instructs onexecution of additional processing on a screen of a display device, theCPU 10A executing the basic processing 22 transmits a request forstarting the additional processing 23 to the CPU 10B through theinter-processor communication unit 401, so that the additionalprocessing 23 is executed on the CPU 10B to transmit an execution resultfrom the CPU 10B to the CPU 10A through the inter-processorcommunication unit 402 and a screen control routine or the like formingthe basic processing 22 presents information reflecting the executionresult of the additional processing 23 to a user.

The first example is structured such that at the execution of theadditional processing 23 by the CPU 10B, when a request for access tothe memory 50 or the input/output device (I/O) 60 is made, the accesscontrol unit 30 executes control for allowing the access to execute onlyan allowed access request to the memory 50 and the input/output device(I/O) 60. Then, in the CPU 10B, the additional processing 23 is executedon the OS 21B and when a processing request to the basic processing 22or the OS 21A is issued from the additional processing 23, the requestis notified to the CPU 10A through the inter-processor communicationunit 401. In other words, the additional processing 23 is not allowed todirectly operate the basic processing 22. For example, even when theadditional processing 23 with malicious intent tries to drasticallydecrease execution performance of the basic processing on the CPU 10Aside by frequently issuing a request to the CPU 10A to give loads, suchattack as described above can be prevented to ensure security by thecontrol by the inter-processor communication unit 401 to preventtransmission of such a request to the CPU 10A side.

In the example shown in FIG. 1, the inter-processor communication unit401 controls information transfer from the CPU 10B to the CPU 10A andthe inter-processor communication unit 402 controls informationtransmission from the CPU 10A to the CPU 10B. It is apparent thatalternatively, one inter-processor communication device is structured toexecute interactive transmission and reception of data. In the firstexample, when a plurality of CPUs 10A executing the basic processing 22require communication between the CPUs, communication between CPUs isexecuted without using the inter-processor communication unit 40. Thisis also the case with a plurality of CPUs 10B which execute theadditional processing 23. As will be described later, when some of theplurality of CPUs forming the CPU group 10B are dynamically switched asan element of the CPU group 10A, although the CPU group 10B logicallybelongs to the CPU group 10A, communication between the CPUs may beexecuted through the inter-processor communication unit 40.

The first example is assumed to enable downloading, installation andexecution of an application program and a device driver to be executedas the additional processing 23. An added device driver is incorporatedinto the OS 21B and executed on the CPU 10B and control of access to theinput/output device 60 is executed under the monitoring by the accesscontrol unit 30.

In such a portable type information communication device as a mobilephone and PDA, the basic processing 22 and the OS 21A in FIG. 1 are ingeneral stored in a rewritable non-volatile memory (EEPROM: ElectricallyProgrammable and Erasable ROM) not shown and the CPU 10A fetches,decodes and executes an instruction code from the EEPROM. In otherwords, memories stored by the OSs 21A and 21B which execute the basicprocessing 22 and the additional processing 23, respectively, areseparated from each other in terms of hardware on the basic processingside and the additional processing side. Then, while the instructioncodes of the basic processing, the OS and the like are executed whichare stored in the EEPROM, data of a table and the like which isinitialized, referred to and updated by a program executed is expandedto the memory 50 formed of DRAM (Dynamic Random Access Memory) by theCPU 10A and 10B at the time of start-up of each OS. Then, as to the CPU10B, the access control unit 30 manages a memory region to beread/written to limit an access to a memory region to be referred to bythe CPU 10A. Also in other common information processing device than aportable type information communication terminal, it is apparent thatmemory into which the basic processing 22 and the OS21A are loaded andwhose instruction code is fetched by the CPU 10A and memory into whichthe additional processing 23 and the OS21B are loaded and whoseinstruction code is fetched by the CPU 10B can be separately provided.Alternatively, it is possible in a common information processing deviceto provide a region into which the basic processing 22 and the OS 21Aare loaded and a region into which the additional processing 23 and theOS 21B are loaded separately from each other in the memory 50 to managea read/write access by the CPU 10B from/to the memory 50 by the accesscontrol unit 30. In this case, with codes to which the CPU 10A and theCPU 10B refer only stored in a common memory region, the access controlunit 30 may execute access control such that the CPU 10B is allowed onlyread from the common memory region.

Also in a portable type information processing device, when a mountedbattery has its remaining power reduced, the remaining power can besaved by forcibly shutting down other CPUs than that executes the basicprocessing or preferentially shutting down a CPU executing processing oflower reliability according to reliability of processing to be executed.This can be realized, for example, by such processing of makingdetermination on CPU executing the basic processing based on informationrelated to remaining battery power which is obtained by a unit fordetecting remaining battery power and a unit for notifying a detectionresult and executing shut-down.

Furthermore, since a resource in a portable type information processingdevice, for example, a bandwidth of communication with the outside orthe amount of non-volatile memory is further limited, a relative rate ofresources ensured can be changed according to reliability. This can berealized, for example, by making such determination as to preferentiallyallow resources to be ensured when in a CPU executing the basicprocessing, reliability of processing to be executed is high and limitthe resources when the reliability is low.

FIG. 2 is a diagram showing one example of a hardware structure of theinter-processor communication unit in the first example. With referenceto FIG. 2, one set of an interruption control device 41 and a sharedmemory 42 disposed between CPUs (a CPU executing the basic processingand a CPU executing the additional processing) on the opposite sidesform the whole of the inter-processor communication units 401 and 402 inFIG. 1. The interruption control device 41 comprises a number n ofinterruption control devices 410˜41 n for a CPU#0, a CPU#1, . . . aCPU#n, each of which interruption control devices comprises aninterruption instruction unit 411, an interrupted state holding unit 412and an interruption canceling unit 413. The shared memory 42 comprisesthe number n of communication regions 420˜42 n for the CPU#0, the CPU#1,. . . the CPU#n, each of which communication regions comprises acommunication queue 421 for queuing or buffering transmissioninformation (data, message) and an exclusive control region 422 forexecuting mutual exclusive control.

Assuming two regions, for example, the CPU#0 and the CPU#1, theinterruption control device 411 for the CPU#1 and the communicationregion 421 for the CPU#1 form the inter-processor communication unit 401from the CPU#0 to the CPU#1 and the interruption control device 410 forthe CPU#0 and the communication region 420 for the CPU#0 form theinter-processor communication unit 402 from the CPU#1 to the CPU#0.

The interruption control device 41 and the shared memory 42 are assumedto be connected to the CPU#0, the CPU#1, . . . the CPU #n through a bus.In the communication queue 421 of the shared memory 42, not transmissiondata itself but a buffer pointer (e.g. a buffer region address of thememory 50) which stores transmission data may be set.

In the first example, an exclusive control region 422 i of a CPU#i inthe shared memory 42 is provided to execute mutual exclusive control toprevent, when a communication region 42 i of the CPU#i is alreadyoccupied by a certain CPU, other CPU from using the communication region42 i of the CPU#i. More specifically, the exclusive control region 422 iof the CPU#i is used for storing synchronous management information suchas semaphore including mutex or a flag.

A mutual exclusive control mechanism mounted on the shared memory 42guarantees data consistency between a transmission CPU and a receptionCPU.

In addition, due to the mutual exclusive control mechanism, thetransmission side CPU is not allowed to accept an interruption requestto the transmission CPU when the exclusive control region 422 is locked,thereby preventing unfair interruption generation such as frequent datatransmission from the transmission CPU to the reception CPU.

The exclusive control region 422 may be used for lock management ofenqueuing and dequeuing.

In FIG. 2, when it is structured to allow multiple interruption to onereception CPU through the interruption control device 41, thecommunication queue 421 and the exclusive control region 422 in acommunication region of each CPU will be provided in multiple in theshared memory 422.

Although not limited in particular, as to the shared memory 42, apredetermined memory region of the memory 50 in FIG. 1 may be used as ashared memory or it may be provided in the inter-processor communicationunit 40 separately from the memory 50. In addition, although not shownin the figure, interrupt request lines from the interruption controldevices 410˜41 n may be connected in parallel to the reception CPU (thenumber of interruptions is increased) or connected in a daisy chainmanner.

Upon receiving an interruption request from the interruption controldevice 41, the reception CPU notifies the interruption control device 41of the request, the interruption control device 41 transfers aninterruption device number (interruption vector information) to a dataline not shown and the reception CPU generates an interruption vectorfrom the interruption device number, so that an interruption serviceroutine to be executed on the reception CPU is started through ascheduler, which interruption service routine executes a series ofcontrol of obtaining data from a communication queue of thecorresponding shared memory 42 and releasing (unlocking) semaphore suchas mutex in the exclusive control region to return from interruption.

FIG. 3 is a diagram for use in explaining an operation procedure of theinter-processor communication unit of the first example shown in FIG. 2,which illustrates a procedure in a case of transferring data from aCPU#k to the CPU#0. In FIG. 3, numerals beside arrows represent stepnumbers.

Step 1: The transmission CPU#k locks the exclusive control region of thecommunication region for the CPU#0 in the shared memory 42. When it isindicated that the exclusive control region of the communication regionfor the CPU#0 in the shared memory 42 is locked by other CPU, wait forthe lock to be released, for example.

Step 2: After locking the exclusive control region of the communicationregion for the CPU#0 in the shared memory 42, the transmission CPU#kwrites data to be transmitted to the reception CPU#0 into acommunication queue of the CPU#0 communication region in the sharedmemory 42.

Step 3: The transmission CPU#k notifies an interruption request to theinterruption instruction unit of the CPU#0 interruption control devicein the interruption control device 41.

Step 4: The interruption instruction unit of the CPU#0 interruptioncontrol device updates the interrupted state holding unit of the CPU#0interruption control device to set “interruption request exists”.

Step 5: The interruption instruction unit of the CPU#0 interruptioncontrol device causes an interruption to the reception CPU#0.

Step 6: The reception CPU#0 receives an interruption from theinterruption instruction unit of the CPU#0 interruption control deviceto take out data from the communication queue of the communicationregion for the CPU#0 in the shared memory 42. At this time, in thereception CPU#0, processing by the above-described interruption serviceroutine is executed.

Step 7: After obtaining the data from the communication queue of thecommunication region for the CPU#0 in the shared memory 42, thereception CPU#0 notifies the interruption canceling unit for the CPU#0of completion of the interruption processing.

Step 8: The interruption instruction unit of the CPU#0 interruptioncontrol device having received the taking-in processing completionnotification from the reception CPU#0 updates the interrupted stateholding unit of the CPU#0 interruption control device.

Step 9: The reception CPU#0 unlocks the exclusive control region of thecommunication region for the CPU#0 in the shared memory 42.

In the first example, when confirming concentration of interruptionrequests on a specific reception CPU, flow control such as control of aninterruption request to the reception CPU or band control may beexecuted. In other words, a QoS (Quality of Service) guaranteeingfunction may be provided in the interruption control device 41 forrestricting transfer of interruption requests sequentially/frequentlyfrom the transmission CPU side to the reception CPU side. For example,an interruption request involving no transfer of data to the receptionCPU can not be considered as a target of exclusive control but can besuccessively issued in the plural. Then, it is possible, in a case wherewhen interruption processing is yet to be completed on the reception CPUside, an interruption request from the transmission CPU side isgenerated to make “interruption request exits” of the interrupted stateholding unit in the interruption control device 41 exceeds a fixedvalue, to execute control to make a following interruption request fromthe transmission CPU side be not allowed. This structure enables such anattack to be prevented as degradation in performance of the receptionCPU caused by generation of a large amount of interruption requestsinvolving no transfer to data to the reception CPU by the transmissionCPU.

FIG. 4 is a diagram showing a structure of the access control unit 30 inthe first example shown in FIG. 1. With reference to FIG. 4, the accesscontrol unit 30 comprises an access allowance unit 31 connected to theCPU 10A executing the basic processing (22 in FIG. 1) through a basicside bus 70A and connected to the CPU 10B executing the additionalprocessing (23 in FIG. 1) through an addition side bus 70B, and astorage unit which stores access allowance data 32.

The access allowance data 32 is allowed read/write by the CPU 10A. Fromthe access allowance unit 31, only read is allowed. Then, the accessallowance data 32 is allowed neither read nor write by the CPU 10B. Inother words, there exists no data bus between the access allowance data32 and the CPU 10B.

The access allowance unit 31 determines a kind of access (read/write)based on an access address signal and a control signal (access command)to the memory 50 (see FIG. 1) which are transferred to an address signalline and a control signal line of the addition side bus 70B and refersto information of the access allowance data 32 to determine whether theaccess in question is adequate or not. As a result of the determination,when the access is determined to be unfair, the access allowance unit 31refrains from sending the access address and the control signal (accesscommand) to the basic side bus 70A, thereby preventing an access fromthe CPU 10B side to the basic side bus 70A. In this case, the CPU 10Bside having sent out the access address to the addition side bus 70Bknows that the access in question fails by a bus error or no-replay tothe read/write address from the memory 50 or the like.

The access allowance unit 31, when the input/output device (I/O) 60 is amemory mapped I/O, monitors the addition side bus 70B and detects theaccess address being an address corresponding to the input/output deviceand when detecting an I/O command (read/write or the like) on the databus, determines whether the access in question is appropriate or notwith reference to the information of the access allowance data 32. Whenthe input/output device is not a memory mapped I/O, the unit decodes adevice number of the input/output device and an I/O command which are tobe transferred to the addition side bus 70B and refers to theinformation of the access allowance data 32 to determine whether theaccess is allowed or not.

In the first example, the access control unit 30 may comprise a bandrestriction unit for executing control of a data transfer amount perunit time. As one example, the access control unit 30 may comprise aunit for measuring and monitoring a volume of data transferred from theCPU 10B to the addition side bus 70B while the CPU 10B is in accessoperation, thereby executing control of stopping data transfer from theCPU 10B to the CPU 10A when, for example, data whose number of bytesexceeds a threshold value set in advance per unit time is transferred.At that time, even when the CPU 10B knows that the data transfer to theCPU 10A fails and retries, the access control unit 30 refrains fromtransferring data from the CPU 10B to the CPU 10A. The access controlunit 30 may be alternatively structured to comprise a buffer toaccumulate data transferred from the CPU 10B to the addition side bus70B in the buffer and control a flow of data to be transferred to theCPU 10A.

FIG. 5 is a diagram showing one example of the access allowance data 32in the first example. With reference to FIG. 5, the access allowancedata is stored in a table format, which includes a CPU which executesadditional processing (a CPU connected to the addition side bus in FIG.4), an allowed range address formed of a starting point address and anending point address of a range in which access is allowed, and anallowed kind of access (a kind of read, read/write, and write). Theallowed range addresses may overlap with each other in different CPUs.In the example shown in FIG. 5, allowed range addresses of CPUs #2 and#3 in the second row are from 0xC000000 to 0xF00000 andreadable/writable (R/W) and allowed range addresses of the CPU #3 in thethird row are from 0xE000000 to 0xF000000 which overlap with that of thesecond row. The larger the number of address allowance data,accordingly, the number of entries in the table becomes, the fineraccess control can be made. Although FIG. 5 illustrates R (readable), W(writable) and R/W (readable/writable) as an example for the sake ofexplanation, R (Readable) indicates information allowing only read andnot allowing write, so that when W is set to be writable (alsoreadable), R/W will be unnecessary. In addition, an address range fromwhich read is not allowed (write is not allowed either) is not stored inthe address allowance data 32. While in the example shown in FIG. 5,access allowance data has an address range and a kind of access withrespect to each CPU whose access is allowed, the access allowance datamay be further provided with information indicative of non-allowance ofinformation as a kind of access to store an address range whose accessis not allowed with respect to a CPU which executes additionalprocessing.

The access allowance unit 31 in FIG. 4 receives an access request(address, read command) from the addition side CPU and refers to theallowed range address and a kind of access of the access allowance data32, and in a case of an allowed access, allows the access. On the otherhand, when it is not allowed, the unit makes the access be not allowed.In the example shown in FIG. 5, in a case of a CPU#4, it is set to befrom the starting point address 1000 to the ending point address 2000(hexadecimal) and a kind of access is set to be read (R). In a case ofCPU#2 or #3, it is set to be from the starting point address 0xC000000to the ending point address 0xF000000 (hexadecimal) and a kind of accessis set to be read and write (R/W). In a case of the CPU#3, a kind ofaccess of a range from the starting point address 0xE000000 and theending point address 0xF000000 (hexadecimal) is set to be write (W).

FIG. 6 is a diagram for use in explaining one example of operation ofthe access control unit 30 in FIG. 4. In FIG. 6, numerals beside arrowsindicate step numbers.

Step 1: The CPU 10A executing the basic processing causes the accessallowance data 32 of the access control unit 30 to inhibit the CPU 10Bexecuting all the additional processing from reading a certain addressrange.

Step 2: Assume that by the execution of the additional processing 23 orthe like, the CPU 10B issues a request for read of the address rangefrom which read is inhibited.

Step 3: The access allowance unit 31 reads the access allowance data 32to check whether the relevant access is appropriate.

Step 4: The access allowance unit 31 returns an error to the CPU 10B.This is because read of the relevant address range by the CPU 10B isinhibited.

Step 5: The CPU 10B issues a request for read of other range than theabove-described address range.

Step 6: The access allowance unit 31 reads and checks the accessallowance data 32.

Step 7: The access allowance unit 31 allows the read access request fromthe CPU 10B and issues a read request to the basic side bus 70A.

Although in the first example, the description has been made of a casewhere the access control unit 30 comprises the access allowance unit 31and the access allowance data 32 to execute access control based onaccess allowance information, the structure is not limited to that shownin the first example, and access refusal data in place of accessallowance data (inversion) and an access refusal unit may be provided.In this case, when an access address from the CPU 10B executing theadditional processing coincides with an address range in which accessrefusal is defined in access refusal data, the access refusal unitexecutes control for refusing an access.

As a modification example of the first example, the access allowanceunit 31 may comprise a cache. In this case, an access address and accessallowance data used in access determination are stored in the cache todetermine, in access control determination to follow, whether thereexists access allowance data of a relevant access address (addressrange) in the cache and in a case of cache-hit, realize speed-up ofaccess determination. The cache is structured to comprise a tag addresscorresponding to a range of access addresses and access allowance dataand comprise a cache-hit determination circuit for determining whetheran access address of the addition side bus 70B hits the cache or not.

Furthermore, as a modification example of the first example, the accesscontrol unit 30 may comprise a new access allowance data 33 and anaccess allowance data update unit 34. With reference to FIG. 7, theaccess control unit 30 comprises, in addition to those of the firstexample shown in FIG. 6, the access allowance data update unit 34connected to the basic side bus 70A and a storage unit storing the newaccess allowance data 33. Functions of these two units will be describedin detail.

The new access allowance data 33 is a storage unit which allows readonly from the access allowance data update unit 34 in addition to havingthe same feature as that of the access allowance data 32 shown in FIG.6.

The access allowance data update unit 34 atomically overwrites the newaccess allowance data 34 by the contents of the new access allowancedata 33 in response to a request from the CPU 10A through the basic sidebus 70A.

In the modification example of the first example, a unit may be providedwhich executes not update of the access allowance data 32 but switchingto the new access allowance data 33.

Such a structure as described above enables update of the accessallowance data 32 to be atomically rewritten by a CPU, thereby enablingdynamical change of a region to be protected and a region to berestricted by the access control unit 30.

FIG. 8 is a diagram showing another structure of the access control unit30 of the first example. With reference to FIG. 8, the access controlunit 30 comprises an access monitoring unit 35 and a learning unit 36connected to the addition side bus 70B in addition to those of the firstexample shown in FIG. 6. Functions of these units will be detailed.

The access monitoring unit 35 obtains access information from the CPU10B through the addition side bus 70B similarly to the access allowanceunit 31.

Based on access information provided from the access monitoring unit 35,the learning unit 36 determines whether the reference is adequate ornot. In a case, for example, where when the number of references to userprotection data counted in advance exceeds a threshold value designatedin advance, recognize the case as an abnormal condition and notify theaccess monitoring unit 35 of the condition to dynamically change theaccess allowance data 32 according to rules set separately. Depending ona case, notify the CPU 10A connected to the basic side bus 70A to startprocessing to be executed in an abnormal condition.

Such structure as described above enables autonomous limitation byaccumulating operation of a CPU whose reliability is considered to below as history information from among patterns referred in practice,thereby enabling safer execution control based on an operation situationof a CPU in real operation.

Also as a structure example, the access control unit 30 may comprise, inaddition to the components shown in FIG. 6, all of the above-describednew access allowance data 33, access allowance data update unit 34,access monitoring unit 35 and learning unit 36.

FIG. 9 is a diagram showing a structure of a second example as a basicstructure. With reference to FIG. 9, the second example has one set ofsoftware, an OS and a CPU on the additional processing side furtheradded to the structure of FIG. 1. More specifically, a CPU 10C on asecond additional processing side communicates with the CPU 10B for thefirst additional processing through the inter-processor communicationunit. The CPU 10C on the second additional processing side is connectedto the basic side bus 70A through a second access control unit 302.

Setting of the access control units 301 and 302 is executed by the CPU10A executing the basic processing 22. In other words, the CPU 10Aexecuting the basic processing 22 functions as a master processor. TheCPU 10A executes concentric management of the memory 50 and theinput/output device (I/O) 60.

The CPU 10C executing a second additional processing 23C communicates(transmission of data and command) with the CPU 10B executing a firstadditional processing 23B through an inter-processor communication unit403, and the CPU 10B executing the first additional processing 23Bcommunicates (transmission of data and command) with the CPU 10Aexecuting the basic processing 22 through an inter-processorcommunication unit 401. In addition, the CPU 10C executing the secondadditional processing 23C executes only an access allowed to the memory50 and the input/output device (I/O) 60 under the monitoring of thesecond access control unit 302, the CPU 10B executing the firstadditional processing 23B executes only an access allowed to the memory50 and the input/output device (I/O) 60 under the monitoring of thefirst access control unit 301, and setting of access allowance data ofthe first access control unit 301 and the second access control unit 302is all executed by the CPU 10A. With such structure, concentricmanagement is executed to transfer processing between CPUs by aninter-processor communication unit 40. Also in the second example, adirect attack and the like to the CPU 10A executing the basic processing22 from the additional processings 23B and 23C can be prevented. Morespecifically, similarly to the above-described first example, theadditional processings 23B and 23C are not allowed to directly start thebasic processing 22 or call up a sub-routine, and a request for startingthe basic processing 22 is transmitted, for example, from the CPU 10Cthrough the CPU 10B to the CPU 10A via the inter-processor communicationunit and the CPU 10A having received the request in question, when it isa request from a CPU not authorized, fails to accept the request inquestion (details of which will be described in an exemplary embodimentof software which will be described later). Thus, in addition to theprovision of authorization layers in the additional processing side CPUand the basic processing side CPU, processing through such hardwaremechanisms as the inter-processor communication unit 40 and the accesscontrol unit 30 enables a direct attack to the basic processing and thelike to be avoided. Since the inter-processor communication units401˜404 in the second example are assumed to have the same structure asthat of first example shown in FIG. 2 and the access control units 301and 302 are also assumed to have the same structure as that of firstexample shown in FIG. 4, description of detailed structures andoperation thereof will be omitted.

FIG. 10 is a diagram showing a structure of a third example as a basicstructure. With reference to FIG. 10, the third example, similarly tothe structure shown in FIG. 9, is obtained by adding the additionalprocessing side CPU 10C and the access control unit 302 to the structureshown in FIG. 1. The third example, unlike the above-described secondexample shown in FIG. 9, has memory and an input/output device (I/O)prepared for each CPU group of each set (domain).

The second additional processing CPU 10C is allowed to freely accessallowed memory 50C and input/output device (I/O) 60C without accesslimitations. The first additional processing CPU 10B is allowed toaccess allowed memory 50B and input/output device (I/O) 60B withoutaccess limitations.

An access from the second additional processing side CPU 10C to basicprocessing side memory 50A and input/output device (I/O) 60A iscontrolled by double-staged structure of the second access control unit302 and the first access control unit 301.

An access from the first additional processing side CPU 10B to the basicprocessing side memory 50A and input/output device (I/O) 60 has itsaccess allowance determined by the first access control unit 301.

Access allowance data of the first access control unit 301 and accessallowance data of the second access control unit 302 are set by the CPU10A of the basic processing. The access allowance data of the secondaccess control unit 302 may be set by the first additional processingCPU 10B. According to the third example, separating the memory and theinput/output devices (I/O) on a domain basis and connecting CPUs inmultiple stages by the inter-processor communication unit 40 enhancesthe function of protection from an attack by additional processing,thereby ensuring security.

FIG. 11 is a diagram showing a modification example of the thirdexample, which is an example in which the first example shown in FIG. 1is applied to two or more chips. With reference to FIG. 11, in additionto a plurality of chips 80 disposed each of which is formed of acombination of CPUs 10A, 10B, 10C and 10D and the access control unit301, the individual chips 80 are coupled by an access control unit 303.In other words, a plurality of chips 80A and 80B are arranged to couplethe chip 80A and the chip 80B or the like by the access control unit303.

Providing a part of CPUs in a certain one chip 80 for use in executingthe basic processing enables access limitation by the access controlunit 301 in one chip 80, while it is possible to provide at least a partof CPUs in each chip 80 for use in executing the basic processing.

It is also possible to form a domain bridging over different chips 80 tocontrol execution by the access control unit 303 between the respectivechips 80.

In any case, appropriate setting of the access control unit 30 enablesexecution control in the basic structure of the information processingdevice to which the present invention is applied also between aplurality of chips 80.

In the above-described third example, the description has been mademainly of a hardware structure of the present invention, and a softwarestructure of the present invention will be described in the following.

FIG. 12 is a diagram showing one example of a software structureimplementing the present invention, which comprises a basic domain, atrusted extended domain and an untrusted extended domain. As a hardwarestructure shown in FIG. 12, the structure in FIG. 10 comprising threegroups of CPUs or the like can be used. In this case, the basic domainas an execution environment for executing the basic processing can bemade correspond to the software 20 and the OS 21A in FIG. 10, thetrusted extended domain to the software 20B and the OS 21B in FIG. 10and the untrusted extended domain to a software 20C and an OS 21C inFIG. 10.

With reference to FIG. 12, a basic domain 100A comprises a basicsoftware 110 including a basic application program (referred to as“basic application”) 111 and a basic performance 112, an OS 101A, adedicated file system 103 and an external device 102A, and a native codedownload management function 104A and a security policy data base 105.Although not limited in particular, the basic function 112, when theinformation processing device of the third example is a portable typeinformation communication terminal, realizes basic performances of aportable type information communication terminal including callprocessing such as calling and incoming call processing, Internet accessand screen processing, which corresponds to the basic processing 22 ofFIG. 1. The basic application 111 calls up the basic function 112 toexecute processing and the basic function 112 executes an access to thefile system or the external device through the OS. The external deviceincludes a communication interface such as a wireless communicationinterface, an interface of a display device, an input interface such asa key or a pointing device, an SD (Secure Digital) memory cardinterface, a sound interface and the like.

A trusted extended domain 100B comprises a native code downloadexecution function 104B, a download application program (referred to as“download application”) 120B, a basic performance library (wrapper) 113,an OS 101B and an allowed external device 102B.

The OS 101B includes a download driver 121B with a certificate. Thedownload driver 121B with a certificate executes input/output control ofthe allowed external device 102B.

An untrusted extended domain 100C comprises a native code downloadexecution function 104C, a download application 120C, an OS 101C and anallowed external device 102C. A download driver 121C incorporated intothe OS 101C executes input/output control of the allowed external device102C.

As to a file input from the external device 102A of the basic domain100A and downloaded, the native code download management function 104Arefers to the contents of the security policy data base 105 to transferan application of a trusted (with a trusted electronic certificate)native code to the trusted extended domain 100B and incorporate thedownload driver 121B of the trusted (with a trusted electroniccertificate) native code into the OS 101B.

The native code download management function 104A transfers an untrusted(e.g. without an electronic certificate or a certificate whose contentsare not proper, etc.) application to the untrusted extended domain 100Cthrough the trusted extended domain 100B to incorporate an untrusted(without a certificate) download driver into the OS 101C of theuntrusted extended domain.

While call of the basis function 112 from the trusted extended domain100B is allowed, call of the basis function 112 from the untrustedextended domain 100C is not allowed. The untrusted extended domain 100Cand the trusted extended domain 100B can work in cooperation.

Only when user's confirmation is made (OK) as to data from the untrusteddomain, an application program operating in the trusted domain transfersthe data to the basic function 112. Without user's confirmation, datafrom the untrusted domain will not be transferred to the basic function112. From the trusted extended domain 100B directly to the basicfunction 112 of the basic domain 100A, no processing request can beissued.

FIG. 13 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which shows execution of the basicapplication. In FIG. 13, a numeral attached to each arrow represents astep number at which information is transferred on the line in question.

Step 1: The basic application 111 of the basic domain 100A issues aprocessing request (e.g. addition of an address book) to the basicfunction 112.

Step 2: The basic function 112 processes the request in question byusing the OS 101A.

Step 3: The basic function 112 notifies the basic application 111whether the request is allowed or not.

FIG. 14 is a diagram for use in explaining operation of the thirdexample illustrated in FIG. 12, which shows a state of execution ofdownload of a trusted application. In FIG. 14, a numeral attached toeach arrow represents a step number at which information is transferredon the line.

Step 1: From the external device 102A (network or SD memory card or thelike) on the basic domain 100A to the OS 101A, download data arrives.

Step 2: At the basic function 112, the download data is recognized as anadditional application (download application) from such information asattribute information.

Step 3: The basic function 112 transfers the additional application tothe native code download management function 104A, and the native codedownload management function 104A refers to the security policy database 105 to check an electronic certificate attached to the additionalapplication. As described above, with a public key and digital signing(encipherment of an organization to be certified or a public key by asecret key) stored in the electronic certificate, for example, when thenative code download management function 104A authenticates thecertificate, it deciphers a part of the digital signing by a public keyto check whether the decipherment coincides with the contents of data ofthe certificate and when they coincide, determine that the data of thecertificate can be trusted. Further attaching digital signing formed ofdigest of the application enables examination whether the downloadedapplication is altered.

Step 4: The native code download management function 104A preservesdownload information together with the electronic certificate in thesecurity policy data base 105.

Step 5: When the electronic certificate is proper as a result of check,the native code download management function 104A of the basic domain100A transmits the download application to the native code downloadexecution function 104B of the trusted extended domain 100B to requestexecution. Data transmission from the native code download managementfunction 104A of the basic domain 100A to the native code downloadexecution function 104B of the trusted extended domain 100B is executedby using the inter-processor communication unit 40 in FIG. 9 or FIG. 10.

Step 6: The native code download execution function 104B of the trustedextended domain 100B executes control to execute the received downloadapplication.

Step 7: The download application is executed on the trusted extendeddomain.

FIG. 15 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing download executionof a trusted driver. Trusted driver, for example, represents a driverdownloaded whose electronic certificate attached thereto has a propercollation result. In FIG. 15, a numeral attached to each arrowrepresents a step number at which information is transferred on therelevant line.

Step 1: From the external device 102A (network or SD card or the like)on the basic domain 100A to the OS 101A, download data arrives.

Step 2: At the basic function 112, the download data is recognized as anadditional device driver (download driver) from attribute information,automatic install information and the like.

Step 3: The basic function 112 transfers the received driver to thenative code download management function 104A. The native code downloadmanagement function 104A refers to the security policy data base 105 tocheck an electronic certificate attached to the download data.

Step 4: The native code download management function 104A preservesdownload information together with the electronic certificate in thesecurity policy data base 105.

Step 5: The native code download management function 104A transmits thedownload driver to the native code download execution function 104B ofthe trusted extended domain to request execution of installation. Datatransmission from the native code download management function 104A ofthe basic domain 100A to the native code download execution function104B of the trusted extended domain 100B is executed by using theinter-processor communication unit 40 in FIG. 9 or FIG. 10.

Step 6: The native code download execution function 104B of the trustedextended domain automatically installs the received download driver.Although not limited in particular, a download driver in the thirdexample may be a resident type driver which, after its installation, isincorporated into a certain region of the OS 101B by re-starting a CPU.

Step 7: The OS 101B of the trusted extended domain notifies to analready executed application or displays that the download driver isinstalled.

Step 8: In the trusted extended domain, the already executed application102B refers to the installed download driver 121B.

Step 9: The download driver 121B installed and loaded into the OS 101Bof the trusted extended domain accesses the allowed external device102B.

Step 10: The download driver 121B returns data from the external device102B to the download application 120B.

FIG. 16 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing operation executedwhen a trusted application (download application) of the trustedextended domain uses a basic function of the basic domain. In FIG. 16, anumeral attached to each arrow represents a step number at whichinformation is transferred on the relevant line.

Step 1: In the trusted extended domain 100B, the download application120B requests the basic function library 113 to execute processing ofthe basic function 112 of the basic domain 100A. The basic functionlibrary 113 is a library collecting routines for executing theprocessing of the basic function 112 of the basic domain 100A, which isstarted by the download application 120B.

Step 2: The basic function library 113 of the trusted extended domain100B enciphers the request by using a key (public key or the like) of anelectronic certificate held by the download application 120B andtransmits the enciphered request to the native code download managementfunction 104A of the basic domain 10A. Transmission of the request fromthe basic function library 113 of the trusted extended domain 100B tothe native code download management function 104A of the basic domain100A is executed through the inter-processor communication unit 40 inFIG. 9 or FIG. 10.

Step 3: The native code download management function 104A of the basicdomain 100A decodes the received request to check whether a requesttransmission source of the request is adequate or not by using theelectronic certificate. Although in this example, the request is checkedby using encipherment and decoding of the request, it is apparent thatan arbitrary method can be used that enables an application and anelectronic certificate to be correlated.

Step 4: The native code download management function 104A of the basicdomain 100A makes a request to the basic function 112 when the checkresults in finding that the request is OK.

Step 5: The basic function 112 of the basic domain 100A processes therequest in question received from the native code download managementfunction 104A and after finishing the processing, notifies the nativecode download management function 104A of the basic domain 100A that theprocessing is completed.

Step 6: The native code download management function 104A of the basicdomain 100A notifies the basic function library 113 of the trustedextended domain 100B that the processing is completed. Transmission ofthe notification from the native code download management function 104Aof the basic domain 100A to the basic function library 113 of thetrusted extended domain 100B is executed through the inter-processorcommunication unit in FIG. 9 or FIG. 10.

Step 7: The trusted extended domain basic function library 113 notifiesthe download application 120B of the completion of the processing as aresponse to the request.

FIG. 17 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing an executionprocedure for downloading an untrusted application of the untrustedextended domain. In FIG. 17, a numeral attached to each arrow representsa step number at which information is transferred on the relevant line.

Step 1: From the external device 102A (network or SD card or the like)on the basic domain 100A to the OS 101A, download data arrives.

Step 2: The basic function 112 of the basic domain 100A analyzesattribute information or the like to recognize the download data as anapplication (download application).

Step 3: The basic function 112 of the basic domain 100A transfers thedownload application to the native code download management function104A. The native code download management function 104A determines thatno electronic certificate is attached to the application or that theelectronic certificate is not proper.

Step 4: The native code download management function 104A of the basicdomain 100A preserves download information in the security policy database 105.

Step 5: The native code download management function 104A of the basicdomain 100A transmits the downloaded application to the native codedownload execution function 104B of the trusted extended domain.Application transmission from the native code download managementfunction 104A of the basic domain 100A to the native code downloadexecution function 104B of the trusted extended domain is executedthrough the inter-processor communication unit 40 in FIG. 9 or FIG. 10.

Step 6: The native code download execution function 104B of the trustedextended domain 100B transmits the application to the native codedownload execution function 104C of the untrusted extended domain 100Cto request execution. Application transmission from the native codedownload execution function 104B of the trusted extended domain 100B tothe native code download execution function 104C of the untrustedextended domain 100C is executed through the inter-processorcommunication unit 40 in FIG. 9 or FIG. 10.

Step 7: The native code download execution function 104C of theuntrusted extended domain starts the received download application 120C.

Step 8: The download application 120C starts operation in the untrustedextended domain 100C. In this case, the download application 120C of theuntrusted extended domain operates on the OS 101C of the untrustedextended domain to allow only an access to the allowed external device102C.

FIG. 18 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing a state of downloadexecution of an untrusted driver. In FIG. 18, a numeral attached to eacharrow represents a step number at which information is transferred onthe relevant line.

Step 1: From the external device 102A (network or SD card or the like)on the basic domain 100A to the OS 101A, download data arrives.

Step 2: Upon started by the arrival of the download data, the basicfunction 112 analyzes the download data such as attribute information,install information or the like to recognize the data as a device driver(download driver).

Step 3: The basic function 112 transfers the download driver to thenative code download management function 104A, so that the native codedownload management function 104A finds that no electronic certificateis attached to the download driver or that although the electroniccertificate is attached, its contents are not proper.

Step 4: The native code download management function 104A of the basicdomain 100A preserves only download information in the security policydata base 105.

Step 5: The native code download management function 104A transmits thedownload driver to the native code download execution function 104B ofthe trusted extended domain 100B. Download driver transmission from thenative code download management function 104A to the native codedownload execution function 104B of the trusted extended domain 100B isexecuted through the inter-processor communication unit 40 in FIG. 9 orFIG. 10.

Step 6: The native code download execution function 104B of the trustedextended domain 100B transfers the received download driver to thenative code download execution function 104C of the untrusted extendeddomain 100C. Transfer of the download driver from the native codedownload execution function 104B of the trusted extended domain 100B tothe native code download execution function 104C of the untrustedextended domain 100C is executed through the inter-processorcommunication unit 40 in FIG. 9 or FIG. 10.

Step 7: The native code download execution function 104C of theuntrusted extended domain 100C installs the received download driver121C.

Step 8: The OS 101C notifies the already executed application 120C thatthe driver 121C is installed or displays it on the screen (to notify auser).

Step 9: In the untrusted extended domain 100C, the already executedapplication 120C refers to the installed download driver 121C.

Step 10: In the untrusted extended domain 100C, the installed downloaddriver 121C accesses the allowed external device 102C through the OS101C in the untrusted extended domain.

Step 11: In the untrusted extended domain, the download driver 121Creturns data obtained from the external device 102C to the downloadapplication 120C.

FIG. 19 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing a state ofcooperation between a trusted application and an untrusted application.In FIG. 19, a numeral attached to each arrow represents a step number atwhich information is transferred on the relevant line.

Step 1: The download application 120C on the untrusted extended domain100C transmits data to the download application 120B on the trustedextended domain 100B. Data transmission is ordinarily executed throughthe inter-processor communication unit 40 in FIG. 9 or FIG. 10.

Step 2: The download application 120B on the trusted extended domain100B executes processing based on the received data to request the basicfunction library 113 to execute the basic function processing includinginformation cooperated with the untrusted extended domain.

Step 3: The basic function library 113 on the trusted extended domain100B enciphers the request by using an electronic certificate held bythe application to transmit the encipherment to the native code downloadmanagement function 104A on the basic domain 100A. Transmission of therequest is ordinarily executed through the inter-processor communicationunit 40 in FIG. 9 or FIG. 10.

Step 4: The native code download management function 104A of the basicdomain 100A decodes the request to check security of the request byusing the electronic certificate stored in the security policy data base105. As a result of the check, when the request is proper, the nativecode download management function 104A asks a user for confirmationthrough the basic application 111. The basic application 111 includesapplications of screen display and input. Although in this example, thecorrespondence relationship between an application and an electroniccertificate is checked by using encipherment and decoding of therequest, it is apparent that an arbitrary method can be used thatenables an application and an electronic certificate to be correlated.

Step 5: Assume that “NO” is input as confirmation from the user.

Step 6: The native code download management function 104A notifies thebasic function library 113 of the trusted extended domain 100B ofnon-allowance. Notification of the non-allowance is ordinarily made bythe inter-processor communication unit 40 in FIG. 9 or FIG. 10.

Step 7: The basic function library 113 notifies the download application120B of non-allowance.

Step 8: The download application 120B on the trusted extended domain100B notifies the download application 120C on the untrusted extendeddomain 100C of non-allowance. Notification of the non-allowance isordinarily made by the inter-processor communication unit 40 in FIG. 9or FIG. 10.

FIG. 20 is a diagram for use in explaining operation of the thirdexample shown in FIG. 12, which is a diagram showing cooperation betweena trusted application and an untrusted application. In FIG. 20, anumeral attached to each arrow represents a step number at whichinformation is transferred on the relevant line.

Step 1: The download application 120C on the untrusted extended domain100C transmits data to the download application 120B on the trustedextended domain 100B. Data transmission is executed through theinter-processor communication unit 40 in FIG. 9, FIG. 10 or the like.

Step 2: The download application 120B on the trusted extended domain100B executes processing based on the received data to request the basicfunction library 113 to execute the basic function processing includinginformation cooperated with the untrusted extended domain.

Step 3: The basic function library 113 on the trusted extended domain100B enciphers the request by using an electronic certificate that theapplication 120B holds and transmits the enciphered request to thenative code download management function 104A on the basic domain 100A.The request is ordinarily made by the inter-processor communication unit40 in FIG. 9 or FIG. 10.

Step 4: The native code download management function 104A of the basicdomain 100A decodes the request to check security of the request byusing the electronic certificate stored in the security policy data base105. As a result of the check, when the request is proper, the nativecode download management function 104A asks a user for confirmationthrough the basic application 111. Although in this example, thecorrespondence relationship between an application and an electroniccertificate is checked by using encipherment and decoding of therequest, it is apparent that an arbitrary method can be used thatenables an application and an electronic certificate to be correlated.

Step 5: In this case, “YES” is input as confirmation by the user.

Step 6: The native code download management function 104A of the basicdomain 100A makes a request to the basic function 112.

Step 7: The basic function 112 processes the request and notifies thenative download management function 104A of processing completion.

Step 8: The native code download management function 104A of the basicdomain 100A notifies the basic function library 113 of the trustedextended domain 100B of the completion. Notification of the completionis made by the inter-processor communication unit 40 in FIG. 9 or FIG.10.

Step 9: The basic function library 113 of the trusted extended domain100B notifies the download application 120B of the completion.

Step: 10: The download application 120B of the trusted extended domain100B notifies the download application 120C of the untrusted extendeddomain 100C of the completion. Notification of the completion is made bythe inter-processor communication unit 40 in FIG. 9 or FIG. 10.

FIG. 21 is a diagram showing a fourth example structure as a basicstructure. Between an OS and a CPU, a virtual machine monitor (asoftware layer executed by a CPU with an OS provided therebetween) isprovided. This makes a CPU, an I/O and a memory resource be virtual.Between the OS and the CPU, the virtual machine monitor maps virtualhardware (e.g. virtual input/output device) on an actual hardwaredevice. With respect to each of the basic domain, the trusted extendeddomain and the untrusted extended domain, the OS executes control ofinput/output (I/O) with a virtual dedicated file system and a virtualexternal device, and with virtual CPUs 200A, 200B and 200C and virtualmachine monitors 210A, 210B and 210C provided between the OS and theCPU, maps a virtual dedicated file system 103′, and virtual externaldevices 102A′, 102B′ and 102C′ to corresponding real file system andreal external devices.

According to the fourth example, unlike the hardware structure shown inFIG. 10 and the software structure shown in FIG. 12, a virtual CPUcorresponding to the basic domain, for example, is not fixed and a CPUof the trusted extended domain or the like can be mapped as a virtualCPU of the basic domain. The virtual machine monitor requires, at itspackaging, no modification of existing OS, application program, CPU andthe like. According to the fourth example, the number of CPUs in eachdomain is variable to form a virtual CPU. As a software structure,structures of the basic domain, the trusted extended domain and theuntrusted extended domain are the same as the structures shown in FIG.12 with only a difference being that a device and a file system are avirtual device and a virtual file system.

FIG. 22 is a diagram showing one example of a processing procedure ofthe fourth example illustrated in FIG. 21. In FIG. 22, a numeralattached to each arrow represents a step number.

Step 1: The virtual machine monitor 210A of the basic domain 100Arequests the virtual machine monitor 210B on the trusted extended domain100B for transfer of a CPU.

Step 2: The virtual machine monitor 210B on the trusted extended domain100B reduces virtual CPU resources.

Step 3: The virtual machine monitor 210B on the trusted extended domain100B notifies the virtual machine monitor 210A on the CPU on the basicdomain 100A of a transferable CPU.

Step 4: The virtual machine monitor 210A on the basic domain 101A setsan access control unit and the like to increase the number of virtualCPUs.

The fourth example enables a CPU of another group to operate as a CPU ofthe basic domain. Since application downloading processing is the sameas the above-described processing operation of the third example (FIG.13 through FIG. 20), no description will be made thereof.

As a modification example of the fourth example, a virtual machinemonitor may be operated in a secure mode. This arrangement furtherimproves security.

In a case where in each of the above-described software example, a CPUgroup of each domain operates as a multi-processor, all the channelsoperable in cooperation in hardware are designed to be controlled by thebasic domain 100A such as shoot-down for flushing all the entries of TLB(Translation Lookaside Buffer: address translation table provided in anaddress management unit) for invalidating a bus to maintain cachecoherence and a virtual multi-processor. In addition, as shown in FIG.23, a CPU group of each domain (e.g. the CPU groups 10A and 10B having amulti-CPU structure shown in FIG. 1) may be structured to operatedivisionally through a separation unit 15. This facilitates control atthe time of transferring a CPU of a certain domain to other domain,thereby coping with graceful degrading of a failing multi-processor andthe like.

While in the above-described first to fourth examples, the descriptionhas been made, as an example, with respect to the informationcommunication terminal device which downloads and executes additionalprocessing (application, device driver) of a native code from outsidethe device such as a network, the present invention is not limited tosuch information communication terminal device and is applicable to anarbitrary information processing device.

FIRST EXEMPLARY EMBODIMENT

Description will be made of a first exemplary embodiment in which thepresent invention is applied to any of the information processingdevices shown in the foregoing as a basic structure. As to the samestructure and operation as those shown in the basic structure, theirdescription will be appropriately omitted.

Structure of the First Exemplary Embodiment

As shown in FIG. 24, the information processing device according to thefirst exemplary embodiment of the present invention is formed of amultiprocessor, which comprises a highest reliability domain 150A, amedium reliability domain 150B and a low reliability domain 150C, datatransmission units 301, 302 and 303, low reliability domain datatransmission units 304 and 305, medium reliability domain datatransmission units 306 and 307, and a domain stop recovery unit 400 andhas a function of executing, when notified of a request for recovery andthe like from a domain, processing corresponding to the notified requestor a function of executing processing corresponding to a notifiedrequest when the request is proper.

The information processing device according to the first exemplaryembodiment of the present invention may be a parallel processing systemby an OS for a single processor which enables an OS for a singleprocessor that each domain has and an existing application to operate ona multi-processor without modifying them and enables the existingapplication to realize parallel processing by a multi-processor.

In this case, higher-speed processing is enabled than that in a casewhere an application is operated on a single processor, and parallelprocessing can be also realized by a simpler structure than that of aparallel processing system in which a multiprocessor each comprises anindependent OS.

The highest reliability domain 150A corresponds to the above-describedstructure formed of the software 20A and the CPU 10A in the secondexample in FIG. 9 and the third example shown in FIG. 10 and thestructure formed of the basic domain 100A, the virtual CPU 200A and thevirtual machine monitor 210A of the fourth example in FIG. 21 andsimilarly to the basic domain 100A, has a basic application or basicsoftware. Among these basic application and basic software are thosehaving such functions as mailer, browser, i-mode (registered trademark)and an address book.

The highest reliability domain 150A also has a function ofcommunicating, by its own CPU and OS, data related to a processingrequest issued in the domain, data related to control and the like withthe medium reliability domain 150B and the low reliability domain 150C.

Since the highest reliability domain 150A is a domain which executesprocessing whose security level is equal to or higher than a fixed leveland which is provided separately from other domains and because, forexample, it fails to execute a native code externally downloaded andalso because it has the highest reliability, the domain enables recoveryfrom such a failure as a stopped state as to all the remaining domains.

In addition, since the highest reliability domain 150A is connected tothe low reliability domain data transmission unit 304 and the mediumreliability domain data transmission unit 306 dedicated for acommunication path to domains other than the highest reliability domain150A and the data transmission units 302 and 303 dedicated for acommunication path from other domains than the highest reliabilitydomain 150A and a communication path to each domain is separatelyprovided, write of various kinds of data is allowed only to the highestreliability domain 150A.

The medium reliability domain 150B corresponds to the above-describedstructure formed of the software 20B and the CPU 10B of the secondexample in FIG. 9 and of the third example in FIG. 10 and the structureformed of the trusted extended domain 100B, the virtual CPU 200B and thevirtual machine monitor 210B of the fourth example in FIG. 21.

The medium reliability domain 150B has a function of communicating, byits own CPU and OS, data related to a processing request issued in thedomain, data related to control and the like with the highestreliability domain 150A and the low reliability domain 150C.

The medium reliability domain 150B is a domain which has at least oneprocessing whose security level is lower than that of the processingexecuted by the highest reliability domain 150A and which is providedseparately from other domains and also executes, for example, only acode guaranteed to be trustful among native codes downloaded.

The low reliability domain 150C corresponds to the above-describedstructure formed of the software 20C and the CPU 10C of the secondexample in FIG. 9 and of the third example in FIG. 10 and the structureformed of the untrusted extended domain 100C, the virtual CPU 200C andthe virtual machine monitor 210C of the fourth example in FIG. 21.

The low reliability domain 150C has a function of communicating, by itsown CPU and OS, data related to a processing request issued in thedomain, data related to control and the like with the highestreliability domain 150A and the medium reliability domain 150B.

The low reliability domain 150C is a domain which has at least oneprocessing whose security level is lower than that of the processingexecuted by the medium reliability domain 150B and which is providedseparately from other domains and also executes, for example, other codethan a code guaranteed to be trustful among native codes downloaded.

The highest reliability domain 150A, the medium reliability domain 150Band the low reliability domain 150C may be formed as described in thefollowing.

The highest reliability domain 150A is assumed to be a domain whoseexecution processing each having a security level of the highestreliability domain 150A is equal or higher than a security level ofexecution processing of the medium reliability domain 150B and whichincludes at least one processing whose security level is high as a setof basic domain execution processing, the medium reliability domain 150Bis assumed to be a domain whose each execution processing having asecurity level of the medium reliability domain 150B is equal to orhigher than a security level of execution processing of the lowreliability domain 150C and which includes at least one processing whosesecurity level is high as a set of execution processing of each domain,and the low reliability domain 150C is assumed to be a domain whose eachexecution processing having a security level of the medium reliabilitydomain 150C is equal to or lower than a security level of executionprocessing of the medium reliability domain 150B and which includes atleast one processing whose security level is low as a set of executionprocessing of each domain.

In this case, the highest reliability domain 150A executes processingwhose security level is relatively higher than that of the mediumreliability domain 150B, and the medium reliability domain 150B executesprocessing whose security level is relatively higher than that of thelow reliability domain 150C.

Reliability in the first exemplary embodiment of the present inventionrepresents one set for each stage of a security level based on anelectronic certificate indicative of the degree of security applied toeach processing or according to a certain security policy. For example,for each processing to which digital signing is applied, a securitylevel is set based on a certain security policy.

FIG. 25 is a diagram showing a function significance setting table 700,which illustrates one example of reliability set in the first exemplaryembodiment of the present invention.

As shown in FIG. 25, reliability is set as a security level according tosignificance of each level, for example, hierarchically, level A:password is required, level B: not to confirm twice, level C: to confirmat each execution, level D: to confirm at each access.

By using the above, reliability is applied to a domain according to afunction to be executed. More specifically, reliability is set accordingto significance of contents of a failure recovery request by a domain.

As a result, such flexible recovery processing is enabled as, forexample, allowing a recovery request for a subtle failure withoutuniformly refusing a recovery request from the low reliability domain150C.

While only the same kind of security level may be arranged in one domainsuch as level A to the highest reliability domain 150A, level B to themedium reliability domain 150B and level C to the low reliability domain150C, possible as reliability setting which enables flexible recoveryprocessing is, for example, as shown in FIG. 25, arranging a level equalto or higher than level A and equal to or higher than level B to thehighest reliability domain 150A according to significance of a functionto be executed, a level equal to or higher than level B and equal to orhigher than level C to the medium reliability domain 150B according to afunction to be executed, and a level equal to or higher than level C andequal to or higher than level D to the low reliability domain 150Caccording to a function to be executed.

Thus set reliability may be managed, for example, by the highestreliability domain 150A and in such a case, determination of the highestreliability domain 150A enables priority of a function or processing tobe executed to be defined according to reliability.

Reliability can be made based on any certificate or any security policyas long as it enables such setting as described above and can bearbitrarily set according to a function to be executed or the number ofdomains.

The data transmission units 301, 302 and 303 have a function oftransmitting data related to a processing request issued in a domain,data related to control and the like and their structure examplesinclude, for example, a shared memory and an inter-processorinterruption, FIFO or a queue, a dual port memory, such a network asLAN, wire communication, radio communication and the like which may berealized by a common related technique having a function of transmittingdata, whose structure is not in particular limited as long as it enablesdata transmission.

Data transmitted by the data transmission units 301, 302 and 303includes information for identifying a requesting source domain whichhas issued a processing request, information for identifying a domain tobe processed, information for identifying contents of processing and thelike, and depending on a case, includes information related to an actualfailure condition of a domain to be processed.

The data transmission units 301, 302 and 303 comprise a mechanism (notshown) for executing error notification to a higher layer in atransmission destination domain or error processing. This is becausedata transmission while the transmission destination domain is inrecovery processing needs elimination of useless waiting until datatransmission is completed by such a mechanism.

This is also the case with data transmission units 304 a, 305 a, 306 aand 307 a which will be described later.

The data transmission unit 301 has a function of notifying the domainstop recovery unit 400 of a processing request which requests recoveryof the medium reliability domain 150B or the low reliability domain 150Cand the like and which is issued by the highest reliability domain 150A.

The data transmission unit 302 has a function of notifying the highestreliability domain 150A of a processing request which requests recoveryof the medium reliability domain 150B or the low reliability domain 150Cand the like and which is issued by the medium reliability domain 150B.

The data transmission unit 303 has a function of notifying the highestreliability domain 150A of a processing request which requests recoveryof the medium reliability domain 150B or the low reliability domain 150Cand the like and which is issued by the low reliability domain 150C.

The low reliability domain data transmission units 304 and 305 comprisethe data transmission units 304 a and 305 a, and low reliability domainstop sensing units 304 b and 305 b, respectively, and have a function ofsensing what failure condition the low reliability domain 150C actuallyhas at the time of data transmission to the low reliability domain 150Cas a target domain.

The medium reliability domain data transmission units 306 and 307comprise the data transmission units 306 a and 307 a and mediumreliability domain stop sensing units 306 b and 307 b, respectively, andhave a function of sensing what failure condition the medium reliabilitydomain 150B actually has at data transmission to the medium reliabilitydomain 150B as a target domain.

The data transmission units 304 a, 305 a, 306 a and 307 a have the samefunctions as those of the above-described data transmission units 301,302 and 303 as described above.

The low reliability domain stop sensing units 304 b and 305 b have thefunction of sensing whether the low reliability domain 150C is actuallyin the stopped state or not at the time of data transmission to the lowreliability domain 150C by the data transmission unit 304 a or 305 a.

With the sensing function, whether the low reliability domain 150C is inthe stopped state is sensed by determining whether data in question isreceived by the low reliability domain 150C as a transmissiondestination domain, for example. More specifically, sensing is realizedby measuring time or the number of times of a failure in reception ofthe data in question by the low reliability domain 150C. For preventingan increase in processing loads of the highest reliability domain 150Aand the medium reliability domain 150B, time required for the sensingprocessing in question should be desirably as shorter as possible.

When sensing the low reliability domain 150C being in the stopped state,the low reliability domain stop sensing units 304 b and 305 b notify thehighest reliability domain 150A that the low reliability domain 105C isin the stopped state.

The medium reliability domain stop sensing unit 306 b has the samestructure and function as those of the low reliability domain stopsensing units 304 b and 305 b and has a function of sensing whether themedium reliability domain 150B is actually in the stopped state (sensingfailure contents of the domain) or not at the time of data transmissionto the medium reliability domain 150B by the data transmission unit 306a.

With the sensing function, whether the medium reliability domain 150B isin the stopped state is sensed by determining whether data in questionis received by the medium reliability domain 150B as a transmissiondestination domain, for example. More specifically, determination can bemade by measuring time or the number of times of a failure in receptionof the data in question by the medium reliability domain 150B. Forpreventing an increase in processing loads of the highest reliabilitydomain 150A, time required for the sensing processing in question shouldbe desirably as short as possible.

Upon confirming that the medium reliability domain 150B is in thestopped state, the medium reliability domain stop sensing unit 306 bnotifies the highest reliability domain 150A that the medium reliabilitydomain 150B is in the stopped state.

As will be described later, the medium reliability domain stop sensingunit 306 b, when authorized to allow recovery processing of the mediumreliability domain 150B, may directly notify the domain stop recoveryunit 400 that the medium reliability domain 150B is in the stopped stateto execute the recovery processing of the medium reliability domain 150Bby using the domain stop recovery unit 400.

In this case, since the highest reliability domain 150A fails to executeprocessing related to allowance to the recover processing, such effectas mitigating processing loads of the highest reliability domain 150Acan be obtained.

On the other hand, the medium reliability domain stop sensing unit 307b, which is a unit for sensing stop of a domain whose reliability ishigher than its own domain, has a function of sensing whether the mediumreliability domain 150B is actually in the stopped state or not at thetime of data transmission to the medium reliability domain 150B by thedata transmission unit 306 a.

With the sensing function, whether the medium reliability domain 150B isin the stopped state or not is sensed by determining whether data inquestion is received by the medium reliability domain 150B as atransmission destination domain, for example. More specifically,determination can be made by measuring time or the number of times of afailure in reception of the data in question by the medium reliabilitydomain 150B. Since the shorter the time of the sensing processing inquestion becomes, the lower is reliability of genuineness of informationnotified to the highest reliability domain 150A by the low reliabilitydomain 150C, longer time needs to be provided for the sensing processingin question.

Upon sensing that the medium reliability domain 150B is in the stoppedstate, the medium reliability domain stop sensing unit 307 b notifiesthe highest reliability domain 150A that the medium reliability domain150B is in the stopped state.

In addition, each of the above-described domain stop sensing units isallowed to sense whether a domain whose stop is to be sensed is actuallyin the stopped state or not by such a method set forth in the following,for example.

(1) Sensing is realized by counting existence/non-existence of aresponse of a check packet periodically transmitted by a transmissionsource domain to a transmission destination domain as a target whosestop is to be sensed. More specifically, time and a number of times whenno response is received is counted. The time and the number of times inquestion to be counted may be changed according to a difference inreliability.

(2) Sensing is realized by counting stop/run-away information displayedby a transmission destination domain. More specifically, cease ofinformation which is to be periodically updated by the transmissiondestination domain is counted.

Setting of each of the above-described time and number of times, updateinformation counting frequency and the like may be set by a domain whosereliability is higher than that of the transmission destination domain.Setting change, however, which exceeds a lowest threshold value, isassumed to be impossible.

Each of the above-described domain stop sensing units may check whethera domain whose stop is to be sensed is actually in the stopped state byarbitrarily combining each of the above-described sensing processingmanners, relevant time, number of times, update information and thelike.

The domain stop recovery unit 400 has a function of executing variouskinds of processing requests including recovery processing such as resetof a CPU in a domain as a target, re-boot of an OS, re-boot of thedomain itself, and rollback to an environment on a specific time anddate, for example, month and day, or recovery of a communication pathand re-start of an application based on the recovery request and thelike notified by the highest reliability domain 150A through the datatransmission unit 301. Furthermore, the unit is structured to beaccessible only from the highest reliability domain 150A to accept aprocessing request from the highest reliability domain 150Aunconditionally.

When other domains than the highest reliability domain 150A make arequest for processing such as recovery processing, the domain stoprecovery unit 400 refuses all the requests.

More specifically, a recovery condition can be determined according toreliability of an individual domain by allowance or refusal of arecovery request from the domain. Recovery condition in the presentexemplary embodiment is, for example, defined to allow all the recoveryrequests from the highest reliability domain, while refusing all therecovery requests from other domains.

FIG. 26 shows a structure of the domain stop recovery unit 400.

As shown in FIG. 26, the domain stop recovery unit 400 comprises arecovery request reception unit 401 and a domain stop recoveryprocessing unit 402.

The recovery request reception unit 401 has a function of receiving arecovery request (processing request) from the highest reliabilitydomain 150A through the data transmission unit 301 to notify the domainstop recovery processing unit 402 of the processing request.

Based on a processing request notified from the recovery requestreception unit 401, the domain stop recovery processing unit 402identifies processing contents such as which domain is to be proceed andwhich processing is requested to ask a relevant domain for relevantprocessing contents.

In a case, for example, where a processing request notified by thehighest reliability domain 150A is a request for recovery processing ofthe stopping medium reliability domain 150B, the domain stop recoveryprocessing unit 402 asks the stopping medium reliability domain 150B forrecovery processing.

In communication, since a communication partner is defined in eachlayer, processing contents vary according to a kind of failure sensed ineach layer. Recovery contents vary, for example, with a state ofstoppage sensed in each layer.

FIG. 27 shows one example of a correspondence relationship betweencontents of communication processing (processing contents) and itslayered structure.

As shown in FIG. 27, a layered structure of each domain is sequentiallyformed, for example, of an application layer, a library layer, an OSlayer and a CPU layer starting from an upper layer, and the domain stoprecovery processing unit 402 executes stop sensing processingcorresponding to each layer which is determined in advance to executecommunication processing (recovery processing).

Contents of communication processing (recovery processing contents)include re-start of an application in the application layer, rollback toa certain time point in the library layer, OS re-boot in the OS layerand CPU rollback in the CPU layer.

Since a program for operating the information processing device in thefirst exemplary embodiment needs to stably realize a functionimplemented by each of the above-described units and means, it ispreferably stored and executed in the highest reliability domain 150Awhich is subjected to no effect of externally downloaded additionalprocessing.

Here, a hardware structure of the information processing deviceaccording to the first exemplary embodiment will be described.

FIG. 28 is a block diagram showing one example of a hardware structureof the information processing device according to the first exemplaryembodiment.

With reference to FIG. 28, the information processing device accordingto the first exemplary embodiment, which can be realized by comprisingthe same hardware structure as that of a common computer device,comprises a plurality of CPUs (Central Processing Unit) 501, a mainstorage unit 502 used as a data working region or a data temporary saveregion which is a main memory such as a RAM (Random Access Memory), acommunication unit 503 for transmitting and receiving data through aninternet 600, a presentation unit 504 such as a liquid crystal display,a printer or a speaker, an input unit 505 such as a key operation unit,an interface unit 506 connected to a peripheral apparatus fortransmitting and receiving data, a subsidiary storage unit 507 as a harddisk device formed of such a non-volatile memory as a ROM (Read OnlyMemory), a magnetic disk or a semiconductor memory, and a system bus 508which connects each of the above-described components of the presentinformation processing device with each other.

The information processing device according to the first exemplaryembodiment has its operation realized not only as hardware by mounting acircuit part formed of a hardware part such as LSI (Large ScaleIntegration) in which a program realizing such a function isincorporated inside the information processing device but also assoftware by executing a program which provides each function of each ofthe above-described means and units on the CPU 501 on the computerprocessing device.

Operation of First Exemplary Embodiment

(Processing Request by Highest Reliability Domain 150 a)

FIG. 29 is a diagram for use in explaining one example of operation ofthe first exemplary embodiment shown in FIG. 24, which illustrates stopsensing-recovery processing of the medium reliability domain 150B by thehighest reliability domain 150A. In FIG. 29, a numeral attached to eacharrow represents a step number at which information is transferred onthe line in question.

First assume that as an initial state, the medium reliability domain150B abnormally stops.

Step 1: The highest reliability domain 150A transmits data to the mediumreliability domain 150B through the data transmission unit 306 a of thedata transmission unit 306A with a medium reliability domain stopsensing function.

Step 2: The medium reliability domain stop sensing unit 306 b of thedata transmission unit 306 with a medium reliability domain stop sensingfunction senses the medium reliability domain 150B stopping.

Step 3: Upon sensing the medium reliability domain 150B stopping by themedium reliability domain stop sensing unit 306 b, the highestreliability domain 150A requests the domain stop recovery unit 400 torecover the medium reliability domain 150B through the data transmissionunit 301.

Step 4: Based on the recovery request from the highest reliabilitydomain 150A, the domain stop recovery unit 400 recovers the mediumreliability domain 150B.

FIG. 30 is a diagram for use in explaining one example of operation ofthe first exemplary embodiment shown in FIG. 24, which illustrates stopsensing recovery processing of the low reliability domain 150C by thehighest reliability domain 150A. In FIG. 30, a numeral attached to eacharrow represents a step number at which information is transferred onthe line in question.

First assume that as an initial state, the low reliability domain 150Cabnormally stops.

Step 1: The highest reliability domain 150A transmits data to the lowreliability domain 150C through the data transmission unit 304 a of thedata transmission unit 304 with a low reliability domain stop sensingfunction.

Step 2: The medium reliability domain stop sensing unit 304 b of thedata transmission unit 304 with a low reliability domain stop sensingfunction senses the low reliability domain 150C stopping.

Step 3: Upon sensing the low reliability domain 150C stopping by the lowreliability domain stop sensing unit 304 b, the highest reliabilitydomain 150A requests the domain stop recovery unit 400 to recover thelow reliability domain 150C through the data transmission unit 301.

Step 4: Based on the recovery request from the highest reliabilitydomain 150A, the domain stop recovery unit 400 recovers the lowreliability domain 150C.

(Processing Request by Medium Reliability Domain 150B)

FIG. 31 is a diagram for use in explaining one example of operation ofthe first exemplary embodiment shown in FIG. 24, which illustrates stopsensing-recovery processing of the low reliability domain 150C by themedium reliability domain 150B. In FIG. 31, a numeral attached to eacharrow represents a step number at which information is transferred onthe line in question.

First assume that as an initial state, the low reliability domain 150Cabnormally stops.

Step 1: The medium reliability domain 150B transmits data to the lowreliability domain 150C through the data transmission unit 305 a of thedata transmission unit 305 with a low reliability domain stop sensingfunction.

Step 2: The low reliability domain stop sensing unit 305 b of the datatransmission unit 305 with a low reliability domain stop sensingfunction senses the low reliability domain 150C stopping.

Step 3: Upon sensing the low reliability domain 150C stopping by the lowreliability domain stop sensing unit 305 b, the medium reliabilitydomain 150B requests the highest reliability domain unit 150A to recoverthe low reliability domain 150C through the data transmission unit 302.

Step 4: The highest reliability domain 150A requests the domain stoprecovery unit 400 to recover the low reliability domain 150C through thedata transmission 301.

Step 5: The domain stop recovery unit 400 recovers the low reliabilitydomain 150C based on the recovery request from the highest reliabilitydomain 150A.

For confirming that the above-described low reliability domain 150Cwhose recovery is requested actually stops, the highest reliabilitydomain 150A may sense existence/non-existence of stop by using the datatransmission unit 304 with a low reliability domain stop sensingfunction between Step 3 and Step 4.

Alternatively, for confirming that the above-described low reliabilitydomain 150C whose recovery is requested actually stops, the domain stoprecovery unit 400 may sense existence/non-existence of stop by using thedata transmission unit 304 with a low reliability domain stop sensingfunction between Step 4 and Step 5.

(Processing Request by Low Reliability Domain 150C)

FIG. 32 is a diagram for use in explaining one example of operation ofthe first exemplary embodiment shown in FIG. 24, which illustrates stopsensing recovery processing of the medium reliability domain 150B by thelow reliability domain 150C. In FIG. 32, a numeral attached to eacharrow represents a step number at which information is transferred onthe line in question.

First assume that as an initial state, the medium reliability domain150B abnormally stops.

Step 1: The low reliability domain 150C transmits data to the mediumreliability domain 150B through the data transmission unit 307 a of thedata transmission unit 307 with a medium reliability domain stop sensingfunction.

Step 2: The medium reliability domain stop sensing unit 307 b of thedata transmission unit 307 with a medium reliability domain stop sensingfunction senses the medium reliability domain 150B stopping.

Step 3: Upon sensing the medium reliability domain 150B stopping by themedium reliability domain stop sensing unit 307 b, the low reliabilitydomain 150C requests the highest reliability domain 150A to recover themedium reliability domain 150B through the data transmission unit 303.

Step 4: Since the low reliability domain 150C as a recovery requestingsource domain has reliability which is lower than that of the mediumreliability domain 150B as a recovery target domain and which is lowreliability, for confirming genuineness of a target or contents of arecovery request, the highest reliability domain 150A transmits data tothe medium reliability domain 150B through the data transmission unit306 a of the data transmission unit 306 with a medium reliability domainstop sensing function.

Step 5: The medium reliability domain stop sensing unit 306 b of thedata transmission unit 306 with a medium reliability domain stop sensingfunction senses the medium reliability domain 150B stopping to confirmthat the medium reliability domain 150B actually stops.

Step 6: Upon confirmation that the medium reliability domain 150Bactually stops, the highest reliability domain 150A requests the domainstop recovery unit 400 to recover the medium reliability domain 150Bthrough the data transmission unit 301.

Step 7: Based on the recovery request from the highest reliabilitydomain 150A, the domain stop recovery unit 400 recovers the mediumreliability domain 150B.

Without execution of the relevant confirmation processing by the highestreliability domain 150A at Step 4 through Step 6, the domain stoprecovery unit 400 may sense existence/non-existence of stop by using thedata transmission unit 306 with a medium reliability domain stop sensingfunction between Step 6 and Step 7 to confirm that the above-describedmedium reliability domain 150B whose recovery is requested actuallystops.

(Processing Request by the Same Reliability Domain)

FIG. 33 is a diagram for use in explaining one example of operation ofthe first exemplary embodiment shown in FIG. 24, which illustrates stopsensing-recovery processing of other medium reliability domain 150B bythe medium reliability domain 150B as an example of stopsensing•recovery processing in the same reliability domain. In FIG. 33,a numeral attached to each arrow represents a step number at whichinformation is transferred on the line in question.

First assume that as an initial state, at least one medium reliabilitydomain 150B in a group of the medium reliability domains 150B abnormallystops.

Step 1: Other medium reliability domain 150B not stopping transmits datato the above-described medium reliability domain 150B in the group ofthe medium reliability domains 150B.

Step 2: Stop of the above-described medium reliability domain 150B as adata transmission destination is sensed. Stop sensing processing in thesame reliability domain is the same as stop sensing processing in thesame domain among domains whose reliabilities are not set. Accordingly,since such stop sensing processing is a common technique, no descriptionwill be made.

Step 3: Upon sensing the above-described medium reliability domain 150Bas a data transmission destination stopping, the medium reliabilitydomain 150B as a transmission source of the data requests the highestreliability domain 150A to recover the above-described mediumreliability domain 150B being in the stopped state through the datatransmission unit 302.

Step 4: The highest reliability domain 150A requests the domain stoprecovery unit 400 to recover the above-described medium reliabilitydomain 150B in the stopped state through the data transmission unit 301.

Step 5: The domain stop recover unit 400 recovers the above-describedmedium reliability domain 150B in the stopped state based on therecovery request from the highest reliability domain 150A.

For confirming the above-described medium reliability domain 150B in thestopped state whose recovery is requested actually stops, the highestreliability domain 150A may sense existence/non-existence of stop byusing the data transmission unit 306 with a medium reliability domainstop sensing function between Step 3 and Step 4.

Alternatively, for confirming the above-described medium reliabilitydomain 150B in the stopped state whose recovery is requested actuallystops, the domain stop recovery unit 400 may senseexistence/non-existence of stop by using the data transmission unit 306with a medium reliability domain stop sensing function between Step 4and Step 5.

Effects by First Exemplary Embodiment

Thus, according to the first exemplary embodiment of the presentinvention, since each domain is separated based on reliability, thehighest reliability domain 150A having such basic processing as maileror browser will not be affected by such an attack from other domain thanthe highest reliability domain 150A and even when other domain than thehighest reliability domain 150A stops, no basic processing of theinformation processing device such as mailer or browser will freeze. Inother words, since such a malicious processing request as contains virusor a processing request for erroneous recovery will not be accepted froma domain with low reliability, freezing of the basic processing of theinformation processing device can be prevented.

In addition, since the highest reliability domain 150A is connected tothe low reliability domain data transmission unit 304 and the mediumreliability domain data transmission unit 306 dedicated for acommunication path to other than the highest reliability domain 150A andthe data transmission units 302 and 303 dedicated for a communicationpath from other domain than the highest reliability domain 150A and acommunication path to each domain is provided, write of various kinds ofdata is allowed only to the highest reliability domain 150A to eliminatethe need of exclusive control between the respective domains.

Furthermore, since other domain developing such a fault as stop than thehighest reliability domain 150A can be recovered by the domain stoprecovery unit, security of the highest reliability domain 150A can beensured, while enabling continuous operation of the informationprocessing device.

In addition, although since spontaneous domain recovery by a watchdogtimer or the like has a problem that because time required for recoveryof a data transmission destination domain can not be seen, coping withan error leads to degradation of performance to cause a case wherespontaneous domain recovery can not be started, since according to thefirst exemplary embodiment of the present invention, at datatransmission to the medium reliability domain 150B or the lowreliability domain 150C, the highest reliability domain 150A is allowedto sense a failure occurring in these domains by means of the lowreliability domain data transmission unit 304 and the medium reliabilitydomain data transmission unit 306, recovery of these failures is enabledat the data transmission to avoid the above-described problem.

Furthermore, because the highest reliability domain 150A comprises twokinds of stop sensing units, the low reliability domain stop sensingunit 304 b and the medium reliability domain stop sensing unit, stopsensing processing by the highest reliability domain 150A can bedecentralized to enable speed-up.

In addition, since the highest reliability domain 150A is allowed toexecute recovery processing by its own determination based on priorityaccording to reliability, appropriate recovery of the informationprocessing device is enabled such as preferential recovery starting witha necessary function. Even when, for example, a plurality of recoveryrequests are simultaneously made to a domain developing a fault,flexible and efficient recovery processing is enabled based onreliability of a domain as a requesting source of a recovery request oron priority according to reliability of processing contents indicated bythe recovery request. It is also possible to suppress generation ofunnecessary recovery processing or to execute minimum necessary recoveryprocessing.

Second Exemplary Embodiment

Second exemplary embodiment corresponds to the first exemplaryembodiment shown in FIG. 24, which adopts the same structure as that ofthe first exemplary embodiment but differs in that the domain stoprecovery unit 400 has a stop confirmation unit 403 for receiving arequest issued in various kinds of domains.

In the following, description will be made mainly of the differencesfrom the above-described first exemplary embodiment and no descriptionwill be made of a component common to that of the first exemplaryembodiment.

Structure of Second Exemplary Embodiment

FIG. 34 is a diagram showing a structure of the domain stop recoveryunit 400 according to the second exemplary embodiment.

As shown in FIG. 34, the domain stop recovery unit 400 according to thesecond exemplary embodiment differs from the first exemplary embodimentin having the stop confirmation unit 403.

The stop confirmation unit 403 has a function of obtaining informationfor identifying a requesting source domain which has issued a recoveryrequest (processing request), information for identifying a domain to beprocessed, information for identifying contents of processing and thelike from information notified from various kinds of domains through therecovery request reception unit 401 and sensing an actual failurecondition of a domain to be processed by using the low reliabilitydomain data transmission unit 304 or the medium reliability domain datatransmission unit 306 to confirm genuineness of the obtained processingcontents.

When thus confirming that the obtained contents of the processing aretrue, the stop confirmation unit 403 notifies the domain stop recoveryprocessing unit 402 of information notified from various kinds ofdomains to request processing.

Upon requested for processing by the stop confirmation unit, the domainstop recovery processing unit 402 asks a predetermined unit in a domainto be processed for such processing as recovery based on the informationnotified by the stop confirmation unit 403.

In the second exemplary embodiment, the stop confirmation unit 403 thatthe domain stop recovery unit 400 has may comprise the low reliabilitydomain data transmission unit 304 and the medium reliability domain datatransmission unit 306, or alternatively, the stop confirmation unit 403may be provided outside the domain stop recovery unit 400 to execute theabove-described sensing processing based on information notified fromvarious kinds of domains and make a processing request to the domainstop recovery processing unit 402 in the domain stop recovery unit 400.

Operation of Second Exemplary Embodiment (Processing Request by MediumReliability Domain 150B)

FIG. 35 is a diagram for use in explaining one example of operationexecuted when the first exemplary embodiment shown in FIG. 24 comprisesthe stop recovery unit 400 shown in FIG. 34, which illustrates stopsensing•recovery processing of the low reliability domain 150C by themedium reliability domain 150B. In FIG. 35, a numeral attached to eacharrow represents a step number at which information is transferred onthe relevant line.

This differs from the first exemplary embodiment shown in FIG. 24 inthat the medium reliability domain 150B requests the domain stoprecovery unit 400 for recovery of the low reliability domain 150Cthrough the data transmission unit 302.

First, assume that as an initial state, the low reliability domain 150Cabnormally stops and the medium reliability domain 150B is allowed touse the domain stop recovery unit 400 or has authorization to use thedomain stop recovery unit 400.

Step 1: The medium reliability domain 150B transmits data to the lowreliability domain 150C through the data transmission unit 305 a of thedata transmission unit 305 with a low reliability domain stop sensingfunction.

Step 2: The low reliability domain stop sensing unit 305 b of the datatransmission unit 305 with a low reliability domain stop sensingfunction senses the low reliability domain 150C stopping.

Step 3: Upon sensing the low reliability domain 150 c stopping by thelow reliability domain stop sensing unit 305 b, the medium reliabilitydomain 150B which is allowed to use the domain stop recovery unit 400requests the domain stop recovery unit 400 to recover the lowreliability domain 150C through the data transmission unit 302.

Step 4: The domain stop recovery unit 400 recovers the low reliabilitydomain 150C based on the recovery request from the medium reliabilitydomain 150B.

For confirming that the above-described low reliability domain 150Cwhose recovery is requested actually stops, the domain stop recoveryunit 400 may sense existence/non-existence of stop by using the datatransmission unit 304 with a low reliability domain stop sensingfunction between Step 3 and Step 4.

Alternatively, in principle, for confirming such a failure as actualstop of the above-described low reliability domain 150C whose recoveryis requested, the domain stop recovery unit 400 may senseexistence/non-existence of stop or the like by using the datatransmission unit 304 with a low reliability domain stop sensingfunction and when a recovery request is made from the medium reliabilitydomain 150B, refrain from sensing existence/non-existence of such afailure as the above-described stop based on setting of reliabilitybetween Step 3 and Step 4.

(Processing Request by Low Reliability Domain 150C)

FIG. 36 is a diagram for use in explaining one example of operationexecuted when the first exemplary embodiment shown in FIG. 24 comprisesthe stop recovery unit 400 shown in FIG. 34, which illustrates stopsensing•recovery processing of the medium reliability domain 150B by thelow reliability domain 150C. In FIG. 36, a numeral attached to eacharrow represents a step number at which information is transferred onthe relevant line.

This differs from the first exemplary embodiment shown in FIG. 24 inthat the low reliability domain 150C requests the domain stop recoveryunit 400 for recovery of the medium reliability domain 150B through thedata transmission unit 303, and the domain stop recovery unit 400 sensesdata transmission to the medium reliability domain 150B and stop of themedium reliability domain 150B by using the data transmission unit 307with a medium reliability domain stop sensing function.

First, assume that as an initial state, the medium reliability domain150B abnormally stops and the low reliability domain 150C is allowed touse the domain stop recovery unit 400 or has authorization to use thedomain stop recovery unit 400.

Step 1: The low reliability domain 150C transmits data to the mediumreliability domain 150B through the data transmission unit 307 a of thedata transmission unit 307 with a medium reliability domain stop sensingfunction.

Step 2: The medium reliability domain stop sensing unit 307 b of thedata transmission unit 307 with a medium reliability domain stop sensingfunction senses the medium reliability domain 150B stopping.

Step 3: Upon sensing the medium reliability domain 150B stopping by themedium reliability domain stop sensing unit 307 b, the low reliabilitydomain 150C requests the domain stop recovery unit 400 to recover themedium reliability domain 150B through the data transmission unit 303.

Step 4: Since the low reliability domain 150C as a recovery requestingsource domain has a reliability which is lower than that of the mediumreliability domain 150B as a recovery target domain and which is lowreliability, for confirming genuineness of a target or contents of arecovery request, the domain stop recovery unit 400 transmits data tothe medium reliability domain 150B through the data transmission unit306 a of the data transmission unit 306 with a medium reliability domainstop sensing function.

Step 5: Upon sensing the medium reliability domain 150B stopping by themedium reliability domain stop sensing unit 306 b of the datatransmission unit 306 with a medium reliability domain stop sensingfunction, the domain stop recovery unit 400 confirms that the mediumreliability domain 150B actually stops.

Step 6: Upon confirming that the medium reliability domain 150B actuallystops, the domain stop recovery unit 400 recovers the medium reliabilitydomain 150B based on the recovery request from the low reliabilitydomain 150C.

(Processing Request by the Same Reliability Domain)

FIG. 37 is a diagram for use in explaining one example of operationexecuted when the first exemplary embodiment shown in FIG. 24 comprisesthe stop recovery unit 400 shown in FIG. 34, which illustrates stopsensing•recovery processing of other medium reliability domain 150B bythe medium reliability domain 150B as one example of stopsensing•recovery processing in the same reliability domain. In FIG. 37,a numeral attached to each arrow represents a step number at whichinformation is transferred on the line in question.

This differs from the first exemplary embodiment shown in FIG. 24 inthat the medium reliability domain 150B requests the domain stoprecovery unit 400 for recovery of other medium reliability domain 150Bthrough the data transmission unit 302.

First assume that as an initial state, at least one medium reliabilitydomain 150B in a group of the medium reliability domains 150B is allowedto use the domain stop recovery unit 400 or has authorization to use thedomain stop recovery unit 400.

Step 1: Other medium reliability domain 150B not stopping transmits datato the above-described medium reliability domain 150B in the group ofthe medium reliability domains 150B.

Step 2: Stop of the above-described medium reliability domain 150B as adata transmission destination is sensed.

Step 3: Upon sensing the above-described medium reliability domain 150Bas a data transmission destination stopping, the medium reliabilitydomain 150B as a transmission source of the data which is allowed to usethe domain stop recovery unit 400 requests the domain stop recovery unit400 to recover the above-described medium reliability domain 150B beingin the stopped state through the data transmission unit 302.

Step 4: The domain stop recovery unit 400 recovers the above-describedmedium reliability domain 150B in the stopped state based on therecovery request from the medium reliability domain 150B as atransmission source of the data in question.

For confirming that the above-described medium reliability domain 150Bwhose recovery is requested actually stops, the domain stop recoveryunit 400 may sense existence/non-existence of stop by using the datatransmission unit 306 with a medium reliability domain stop sensingfunction between Step 3 and Step 4.

Effects of Second Exemplary Embodiment

Thus, according to the second exemplary embodiment, the stopconfirmation unit 403 executes the above-described sensing processingbased on information notified by various kinds of domains. Accordingly,even when the highest reliability domain 150A is notified of aprocessing request by the medium reliability domain 150B or the lowreliability domain 150C, it is unnecessary to sense an actual failurecondition of a domain to be processed and confirm genuineness of theprocessing contents, so that processing loads of the highest reliabilitydomain 150A can be mitigated.

Third Exemplary Embodiment

The third exemplary embodiment corresponds to the first exemplaryembodiment shown in FIG. 24 and adopts the same structure as that of thefirst exemplary embodiment but differs in that the domain stop recoveryunit 400 has a recovery processing control unit 404 which receives arequest issued by various kinds of domains.

In the following, the differences from the above-described firstembodiment will be mainly described.

Structure of Third Exemplary Embodiment

FIG. 38 is a diagram showing a structure of the domain stop recoveryunit 400 according to the third exemplary embodiment.

As shown in FIG. 38, the domain stop recovery unit 400 according to thepresent exemplary embodiment differs from that of the first exemplaryembodiment in having the recovery processing control unit 404.

In the following, differences from the above-described first embodimentwill be mainly described.

The recovery processing control unit 404 has the same structure andfunction as those of the access control unit 30 shown in FIG. 4,comprises a storage unit storing recovery processing allowance data 404a and a recovery processing allowance unit 404 b and has a function ofdetermining whether a processing request notified from other domain thanthe highest reliability domain 150A through the recovery requestreception unit 401 is allowed or not.

In addition, the recovery processing control unit 404, when notified ofa processing request, notifies the domain stop recovery unit 400 only ofthe allowed processing request.

Here, with respect to a recovery request (processing request) receivedfrom each domain, the recovery request reception unit 401 notifies thedomain stop recovery processing unit 402 of a recovery request(processing request) received from the highest reliability domain 150Aand notifies the recovery processing allowance unit 404 b of a recoveryrequest (processing request) received from other domain than the highestreliability domain 150A.

The recovery processing control unit 404 executes control to allow otherdomain than the highest reliability domain 150A which is a domainrequired to have a low level security only a processing request in aform allowed in advance to a domain allowed in advance.

The recovery processing allowance data 404 a is data set in advance bythe highest reliability domain 150A with a processing request notifiedfrom other domain than the highest reliability domain 150A andpredetermined processing contents to a predetermined domain correlatedwith each other, which data can be read•written from/to the highestreliability domain 150A. From the recovery processing allowance unit 404b, only read is allowed. Furthermore, from other domain than the highestreliability domain 150A, neither read nor write is allowed. In otherwords, there exists no data bus between the recovery processingallowance data 404 a and other domain than the highest reliabilitydomain 150A.

FIG. 39 shows one example of contents of the recovery processingallowance data 404 a.

As shown in FIG. 39, for a certain requesting source domain as a domainon the side requesting recovery, the recovery processing allowance data404 a defines a recovery destination domain as a target of recoveryprocessing and its recovery method.

In a case where the requesting source domain is a domain #1, defined areno recovery destination domain and no recovery method.

In a case where the requesting source domain is a domain #2, defined arethe domain #1 only as a recovery destination domain and only OS rebootas a recovery method.

In a case where the requesting source domain is a domain #3, defined arethe domain #2 only as a recovery destination domain and reset androllback as a recovery method.

The recovery processing allowance unit 404 b has a function of, uponreceiving a processing request from other domain than the highestreliability domain 150A through the recovery request reception unit,referring to the requesting source domain of the recovery processingallowance data 404 a, the recovery destination domain and the recoverymethod to determine whether to allow the processing request according towhether the processing request is relevant or not and when the requestis an allowed processing request, issuing the processing request to thedomain stop recovery unit 400. On the other hand, when the determinationis made not to allow, the recovery processing allowance unit 404 brefrains from issuing the request to the domain stop recovery unit 400.

In other words, in addition to allowance or refusal of a recoveryrequest from an individual domain according to reliability of the domainas described in the first exemplary embodiment, recovery conditions canbe determined according to a recovery destination domain and processingcontents such as recovery processing. As a recovery condition in thepresent exemplary embodiment, for example, in addition to conditionsetting in the first exemplary embodiment to refuse all the recoveryrequests from the domain #1, defined is to partially allow a recoveryrequest from the domain #2 and the domain #3 according to each recoverydestination domain and processing contents. It is thus characterized inenabling minuter recovery condition setting.

Operation of Third Exemplary Embodiment

FIG. 40 is a diagram for use in explaining one example of operation ofthe recovery processing control unit 404. In FIG. 40, a numeral besidean arrow represents a step number.

First, as initial setting, the highest reliability domain 150A definescontents of the recovery processing allowance data 404 a.

Step 1: Assume that other domain than the highest reliability domain150A issues a processing request not coincident with the recoveryprocessing allowance data 404 a.

Step 2: The recovery processing allowance unit 404 b reads the recoveryprocessing allowance data 404 a by obtaining the processing request todetermine whether to allow the processing request.

Step 3: The recovery processing allowance unit 404 b returns an error toother domain than the highest reliability domain 150A. This is becausethe processing request fails to coincide with the recovery processingallowance data 404 a.

Step 4: Other domain than the highest reliability domain 150A issuesother processing request than the above-described processing request.

Step 5: The recovery processing allowance unit 404 b reads the recoveryprocessing allowance data 404 a by obtaining the processing request todetermine whether to allow the processing request.

Step 6: When allowing the processing request from other domain than thehighest reliability domain 150A, the recovery processing allowance unit404 b issues the processing request to the domain stop recoveryprocessing unit 402.

Although as a structure of the recovery processing control unit 404, thethird exemplary embodiment has been described with respect to an exampleof executing control of a processing request based on the recoveryprocessing allowance data 404 a, and the recovery processing allowancedata 404 a comprising the recovery processing allowance unit 404 b, thepresent invention is not limited to the structure of the presentinvention, and in place of the recovery processing allowance data(inverted), recovery processing refusal data and a recovery processingrefusal unit may be provided. In this case, when a processing requestfrom other domain than the highest reliability domain 150A coincideswith a predetermined condition in any or all of a predeterminedrequesting source domain in which refusal of recovery processing isdefined by the recovery processing refusal data, a recovery refusaldestination domain and a recovery method, the recovery processingrefusal unit executes control to refuse the processing request inquestion.

Effects of Third Exemplary Embodiment

Thus, since according to the third exemplary embodiment of the presentinvention, the recovery processing allowance unit 404 b of the recoveryprocessing control unit 404 executes control to allow only a processingrequest to a domain allowed in advance in a form allowed in advancebased on the recovery processing allowance data 404 a, it is possible toprevent various kinds of attacks to the highest reliability domain 150Arequiring high level security by additional processing externallyobtained by other domain than the highest reliability domain 150A bydownloading or the like.

In addition, since the recovery processing control unit 404decentralizes the recovery processing of the domain stop recovery unit400 to speed up recovery processing.

As a variation example of the third exemplary embodiment, the recoveryprocessing allowance unit 404 b may comprise a cache. In this case, therecovery processing allowance data 404 a used for determiningallowance/non-allowance of a processing request is stored in the cacheto determine, in determination of allowance/non-allowance of processingrequests to follow, whether there exists the recovery processingallowance data 404 a of the relevant processing request in the cache andin a case of cache-hit, realize speed up of determination onallowance/non-allowance of the processing request.

Fourth Exemplary Embodiment

The fourth exemplary embodiment corresponds to the first exemplaryembodiment shown in FIG. 24 and adopts the same structure as that of thefirst exemplary embodiment but differs in that the domain stop recoveryunit 400 has the stop confirmation unit 403 and the recovery processingcontrol unit 404.

In the following, differences from the above-described first exemplaryembodiment will be mainly described.

FIG. 41 is a diagram showing a structure of the domain stop recoveryunit 400 according to the fourth exemplary embodiment.

As shown in FIG. 41, the domain stop recovery unit 400 according to thefourth exemplary embodiment differs from the first exemplary embodimentin having the stop confirmation unit 403 and the recovery processingcontrol unit 404.

Here, since the stop confirmation unit 403 has the same structure asthat of the stop confirmation unit 403 in the second exemplaryembodiment and the recovery processing control unit 404 has the samestructure as that of the recovery processing control unit 404 in thethird exemplary embodiment, no description will be made thereof.

Operation of Fourth Exemplary Embodiment

In the domain stop recovery unit 400 according to the fourth exemplaryembodiment, the recovery processing control unit 404 determines to allowor not allow a processing request from other domain than the highestreliability domain 150A similarly to the third exemplary embodiment, andthe stop confirmation unit 403 obtains a processing request allowed bythe recovery processing control unit 404 and similarly to the secondexemplary embodiment, confirms genuineness of the content of processingrelated to the obtained processing request and when confirming that itis true, notifies the domain stop recovery processing unit 402 ofinformation about the obtained processing request.

Effects of Fourth Exemplary Embodiment

Thus, according to the fourth exemplary embodiment of the presentinvention, since the recovery processing allowance unit 404 b of therecovery processing control unit 404 executes control to allow only aprocessing request to a domain allowed in advance in a form allowed inadvance based on the recovery processing allowance data 404 a, it ispossible to prevent various kinds of attacks to the highest reliabilitydomain 150A requiring high level security by additional processingexternally obtained by other domain than the highest reliability domain150A by downloading or the like, thereby improving security of thehighest reliability domain 150A.

In addition, since the recovery processing control unit 404decentralizes the recovery processing of the domain stop recovery unit400, speed-up of recovery processing can be realized.

Furthermore, the stop confirmation unit 403 executes the above-describedsensing processing based on information related to a processing requestallowed by the recovery processing allowance unit 404 b. Accordingly,since even when the highest reliability domain 150A is notified of aprocessing request by the medium reliability domain 150B or the lowreliability domain 150C, it is unnecessary to sense an actual failurecondition of a domain to be processed and confirm genuineness of thecontent of the processing, it is possible to reduce processing loads onthe highest reliability domain 150A, as well as appropriately recoveringa failure actually occurring in a domain while ensuring security of thehighest reliability domain 150A.

While the present invention has been described with respect to theplurality of preferred exemplary embodiments in the foregoing, thepresent invention is not limited to the above-described exemplaryembodiments, and it can be implemented in variation within a range ofits technical idea.

For example, while the present exemplary embodiment has been describedwith respect to the information processing device formed by threedomains as an example, the number of domains is not limited to the threebut be two or not less than four as long as the respective domains areseparated as described in the present exemplary embodiment.

Furthermore, the present exemplary embodiment has been described, forexample, with respect to a structure in which the recovery processingcontrol unit 404 is provided in the domain stop recovery unit 400, theposition of the recovery processing control unit 404 is not limited tobe within the stop recovery unit 400 but to be outside the stop recoveryunit 400, within the highest reliability domain 150A, or at a pluralityof places. When the recovery processing control unit 404 is provided inthe highest reliability domain 150A, the highest reliability domain 150Amay determine whether to allow or not to allow a processing request fromother domain than the highest reliability domain 150A and notify thedomain stop recovery processing unit 402 of information of an allowedprocessing request.

According to the present exemplary embodiments of the invention, thefollowing effects can be attained.

First effect is that a failure occurring in each domain is recoveredupon a recovery request satisfying a recovery condition set in advance.

The reason is that since with a plurality of processors provided whichform a plurality of domains according to processing contents to beexecuted, processors in different domains communicate with each otherthrough a communication unit to execute failure recovery processing withrespect to a domain developing a fault based on a failure recoveryrequest notified from a domain and a recovery condition set in advancefor each domain, a failure can be recovered in response to a recoveryrequest satisfying a recovery condition set in advance for each failureoccurring in each domain.

Second effect is that a predetermined domain among a plurality ofdomains can be recovered according to a recovery condition differentfrom those of other domains.

The reason is that with a plurality of domains formed with a specificdomain and other domains separated according to processing contents tobe executed, failure recovery processing is executed with respect to adomain developing a fault based on a failure recovery request notifiedfrom the specific domain or other domains and based on a recoverycondition set in advance for each of the specific domain and otherdomains. Accordingly, since a plurality of domains are formed with aspecific domain and other domains separated according to processingcontents to be executed, failure recovery processing is executed withrespect to a domain developing a fault based on a failure recoveryrequest notified from the specific domain or other domains and arecovery condition set in advance for each of the specific domain andother domains, the specific domain and other domains can be recoveredaccording to different recovery conditions.

Third effect is that security of a domain which executes processingwhose security level is higher than a certain fixed level can beensured.

The reason is that with a specific domain being a domain which executesprocessing whose security level is higher than a certain fixed level andother domain being a domain having at least one processing whosesecurity level is lower than that of the processing executed in thespecific domain, the specific domain senses a failure in other domainthrough data transmission to other domain by a communication unit tomake a failure recovery request to a recovery unit. Accordingly, thespecific domain which executes processing whose security level is higherthan a certain fixed level and other domain having at least oneprocessing whose security level is lower than that of the processingexecuted in the specific domain are formed separately with each otherand the specific domain which has detected a failure occurring in otherdomain and which executes processing whose security level is higher thana certain fixed level recovers other domain having at least oneprocessing whose security level is lower than that of the processingexecuted in the specific domain through the recovery unit.

Fourth effect is improvement in availability of an informationprocessing device.

The reason is that a domain whose security is ensured and which executesprocessing whose security level is higher than a certain fixed leveldetects a failure occurring in a domain having at least one processingwhose security level is lower than that of the processing executed inthe specific domain to recover the failure through a recovery unit.

Fifth effect is that a failure occurring in each domain can be recoveredwith a predetermined security level ensured.

The reason is that a recovery condition is defined based on a securitylevel set for each processing contents indicated in a failure recoveryrequest from a domain and a recovery unit executes failure recoveryprocessing with respect to a domain developing a fault based on thefailure recovery request notified from the domain and the recoverycondition. Accordingly, a recovery request which satisfies the recoverycondition defined based on a security level set for each processingcontents is accepted.

While the invention has been particularly shown and described withreference to exemplary embodiments thereof, the invention is not limitedto these embodiments. It will be understood by those of ordinary skillin the art that various changes in form and details may be made thereinwithout departing from the spirit and scope of the present invention asdefined by the claims.

INCORPORATION BY REFERENCE

This application is based upon and claims the benefit of priority fromJapanese patent application No. 2005-177811, filed on Jun. 17, 2005, thedisclosure of which is incorporated herein in its entirety by reference.

1. An information processing device, comprising a plurality ofprocessors, wherein said plurality of processors form a plurality ofdomains according to processing contents to be executed, and theprocessors in different domains communicate with each other through acommunication unit, and which further comprises a recovery unit forexecuting, for a domain developing a fault, failure recovery processingbased on a failure recovery request notified by said domain and arecovery condition set in advance for each said domain.
 2. Theinformation processing device according to claim 1, wherein saidplurality of domains are structured separately as a specific domain andother domain according to processing contents to be executed, and saidrecovery unit executes, for a domain developing a fault, failurerecovery processing based on a failure recovery request notified by saidspecific domain or said other domain and a recovery condition set inadvance for each of said specific domain and said other domain.
 3. Theinformation processing device according to claim 2, wherein saidspecific domain is a domain executing processing whose security level isequal to or higher than a fixed security level, said other domain is adomain having at least one processing whose security level is lower thana security level of processing executed in said specific domain, andsaid specific domain senses a failure in said other domain through datatransmission to said other domain by said communication unit to make arecovery request for said failure to said recovery unit.
 4. Theinformation processing device according to claim 2, wherein saidspecific domain is a domain executing processing whose security level isequal to or higher than a fixed security level, said other domain is adomain having at least one processing whose security level is lower thana security level of processing executed in said specific domain, saidother domain senses a failure in any said other domain to notify saidspecific domain of a recovery request for the failure of said otherdomain, and said specific domain senses a failure in said other domainthrough data transmission to said other domain by said communicationunit to make a recovery request for said failure to said recovery unit.5. The information processing device according to claim 3, whereinsensing of a failure through data transmission is executed according towhether a response is made or not from a domain as a destination of saiddata transmission within a predetermined time period or a predeterminednumber of times, said specific domain is a domain executing basicprocessing as said processing whose security level is equal to or higherthan a fixed security level, and for sensing a failure by said specificdomain through data transmission to said other domain, a time periodshorter than said predetermined time period is set or a number of timesless than said predetermined number of times is set.
 6. The informationprocessing device according to claim 2, wherein said specific domain isa domain executing processing whose security level is equal to or higherthan a fixed security level, said other domain is a domain having atleast one processing whose security level is lower than a security levelof processing executed in said specific domain, said other domain sensesa failure in any said other domain to notify said specific domain of arecovery request for a failure of said other domain, and said specificdomain makes a recovery request for said failure to said recovery unit.7. The information processing device according to claim 2, wherein saidspecific domain is a domain executing processing whose security level isequal to or higher than a fixed security level, said other domain is adomain having at least one processing whose security level is lower thana security level of processing executed in said specific domain, saidother domain senses a failure in any said other domain to make arecovery request for said failure to said recovery unit without throughsaid specific domain, and said recovery unit executes, for said otherdomain developing a fault, failure recovery processing based on arecovery request for said failure notified by said other domain and arecovery condition set in advance for each said other domain.
 8. Theinformation processing device according to claim 1, wherein saidrecovery condition is defined based on a security level set for eachprocessing contents indicated in a failure recovery request from saiddomain, and said recovery unit executes, for a domain developing afault, failure recovery processing based on a failure recovery requestnotified by said domain and said recovery condition.
 9. The informationprocessing device according to claim 6, wherein said other domains arestructured separately according to processing contents to be executed,as a first domain having at least one processing whose security level islower than a security level of processing executed by said specificdomain and a second domain having at least one processing whose securitylevel is lower than a security level of processing executed by saidfirst domain, said first domain senses a failure in said second domainthrough data transmission to said second domain by said communicationunit to notify said specific domain of a recovery request for thefailure of said second domain, and said specific domain makes a recoveryrequest for said failure to said recovery unit.
 10. The informationprocessing device according to claim 7, wherein said other domains arestructured separately according to processing contents to be executed,as a first domain having at least one processing whose security level islower than a security level of processing executed by said specificdomain and a second domain having at least one processing whose securitylevel is lower than a security level of processing executed by saidfirst domain, said first domain senses a failure in said second domainthrough data transmission to said second domain by said communicationunit to notify said recovery unit of a recovery request for the failureof said second domain without through said specific domain, and saidrecovery unit executes, for said second domain developing a fault,failure recovery processing based on a recovery request of said failurenotified by said first domain and a recovery condition set in advancefor each said other domain.
 11. The information processing deviceaccording to claim 4, wherein said other domains are structuredseparately according to processing contents to be executed, as a firstdomain having at least one processing whose security level is lower thana security level of processing executed by said specific domain and asecond domain having at least one processing whose security level islower than a security level of processing executed by said first domain,said second domain senses a failure in said first domain through datatransmission to said first domain by said communication unit to notifysaid specific domain of a recovery request for the failure of said firstdomain, and said specific domain senses a failure of the first domainthrough data transmission to said first domain by said communicationunit to make a recovery request for said failure to said recovery unit.12. The information processing device according to claim 7, wherein saidother domains are structured separately according to processing contentsto be executed, as a first domain having at least one processing whosesecurity level is lower than a security level of processing executed bysaid specific domain and a second domain having at least one processingwhose security level is lower than a security level of processingexecuted by said first domain, said second domain senses a failure insaid first domain through data transmission to said first domain by saidcommunication unit to notify said recovery unit of a recovery requestfor the failure of said first domain without through said specificdomain, and said recovery unit senses a failure of the first domainthrough data transmission to said first domain by said communicationunit to execute, for said first domain developing a fault, failurerecovery processing based on a recovery request of said failure notifiedby said second domain and a recovery condition set in advance for eachsaid other domain.
 13. The information processing device according toclaim 11, wherein sensing of a failure through data transmission isexecuted according to whether a response is made or not from a domain asa destination of said data transmission within a predetermined timeperiod or a predetermined number of times, and for sensing a failure bysaid second domain through data transmission to said first domain, atime period longer than said predetermined time period is set or anumber of times larger than said predetermined number of times is set.14. The information processing device according to claim 2, wherein saidrecovery unit accepts a recovery request from said specific domainunconditionally and refuses a recovery request from said other domain.15. The information processing device according to claim 1, wherein uponnotification of a failure recovery request from said domain, saidrecovery unit senses a failure in a domain to be recovered through datatransmission to said domain to be recovered to execute, for said domaindeveloping the failure, failure recovery processing based on saidfailure recovery request and said recovery condition.
 16. Theinformation processing device according to claim 1, wherein saidrecovery unit comprises a determination unit for determining whether toallow a failure recovery request notified by said domain, and based on arecovery request allowed by said determination unit, executes failurerecovery processing for a domain developing a fault.
 17. The informationprocessing device according to claim 16, wherein said determination unitcomprises data related to failure recovery which is set for each saiddomain, and based on a failure recovery request notified by said domainand said data, determines whether to allow said failure recoveryrequest.
 18. The information processing device according to claim 17,wherein said data is set based on a security level set for eachprocessing contents indicated by a failure recovery request from saiddomain.
 19. The information processing device according to claim 1,wherein said recovery unit comprises a determination unit fordetermining whether to allow a failure recovery request notified by saiddomain, and based on a recovery request allowed by said determinationunit, senses a failure in said domain to be recovered through datatransmission to said domain to be recovered to execute failure recoveryprocessing for said domain developing a fault.
 20. A recovery device forrecovering, on an information processing device having a plurality ofdomains formed of a plurality of processors, a failure occurring on saiddomain, which comprises with said plurality of processors forming aplurality of domains according to processing contents to be executed, arecovery unit for executing, for a domain developing a fault, failurerecovery processing based on a failure recovery request notified by saiddomain and a recovery condition set in advance for each said domain. 21.The recovery device according to claim 20, wherein said plurality ofdomains are structured separately as a specific domain and other domainaccording to processing contents to be executed, and said recovery unitexecutes, for a domain developing a fault, failure recovery processingbased on a failure recovery request notified by said specific domain orsaid other domain and a recovery condition set in advance for each ofsaid specific domain and said other domain.
 22. The recovery deviceaccording to claim 20, wherein said recovery condition is defined basedon a security level set for each processing contents indicated in afailure recovery request from said domain, and said recovery unitexecutes, for a domain developing a fault, failure recovery processingbased on a failure recovery request notified by said domain and saidrecovery condition.
 23. The recovery device according to claim 21,wherein said other domains are structured separately according toprocessing contents to be executed, as a first domain having at leastone processing whose security level is lower than a security level ofprocessing executed by said specific domain and a second domain havingat least one processing whose security level is lower than a securitylevel of processing executed by said first domain, said second domainsenses a failure in said first domain through data transmission to saidfirst domain to notify said recovery unit of a recovery request for thefailure of said first domain without through said specific domain, andsaid recovery unit senses a failure of the first domain through datatransmission to said first domain to execute, for said first domaindeveloping a fault, failure recovery processing based on a recoveryrequest of said failure notified by said second domain and a recoverycondition set in advance for each said other domain.
 24. The recoverydevice according to claim 21, wherein said recovery unit accepts arecovery request from said specific domain unconditionally and refuses arecovery request from said other domain.
 25. The recovery deviceaccording to claim 20, wherein upon notification of a failure recoveryrequest from said domain, said recovery unit senses a failure in adomain to be recovered through data transmission to said domain to berecovered to execute, for said domain developing the failure, failurerecovery processing based on said failure recovery request and saidrecovery condition.
 26. The recovery device according to claim 20,wherein said recovery unit comprises a determination unit fordetermining whether to allow a failure recovery request notified by saiddomain, and based on a recovery request allowed by said determinationunit, executes failure recovery processing for a domain developing afault.
 27. The recovery device according to claim 26, wherein saiddetermination unit comprises data related to failure recovery which isset for each said domain, and based on a failure recovery requestnotified by said domain and said data, determines whether to allow saidfailure recovery request.
 28. The recovery device according to claim 27,wherein said data is set based on a security level set for eachprocessing contents indicated by a failure recovery request from saiddomain.
 29. The recovery device according to claim 20, wherein saidrecovery unit comprises a determination unit for determining whether toallow a failure recovery request notified by said domain, and based on arecovery request allowed by said determination unit, senses a failure insaid domain to be recovered through data transmission to said domain tobe recovered to execute failure recovery processing for said domaindeveloping a fault.
 30. A program executed on an information processingdevice as a computer processing device formed of a plurality ofprocessors to realize recovery of a function of said informationprocessing device, which making said information processing deviceexecute with said plurality of processors forming a plurality of domainsaccording to processing contents to be executed, a communicationfunction of causing the processors in different domains to communicatewith each other, and a recovery function of executing, for a domaindeveloping a fault, failure recovery processing based on a failurerecovery request notified by said domain and a recovery condition set inadvance for each said domain.
 31. The program according to claim 30,wherein further comprising the functions of: with said plurality ofdomains being structured separately as a specific domain and otherdomain according to processing contents to be executed, a function ofcausing said recovery function to execute, for a domain developing afault, failure recovery processing based on a failure recovery requestnotified by said specific domain or said other domain and a recoverycondition set in advance for each of said specific domain and said otherdomain.
 32. The program according to claim 30, wherein furthercomprising the functions of: with said specific domain being a domainexecuting processing whose security level is equal to or higher than afixed security level and said other domain being a domain having atleast one processing whose security level is lower than a security levelof processing executed in said specific domain, a function of causingsaid specific domain to sense a failure in said other domain throughdata transmission to said other domain by said communication function tomake a recovery request for said failure to said recovery function. 33.The program according to claim 30, wherein further comprising thefunctions of: with said specific domain being a domain executingprocessing whose security level is equal to or higher than a fixedsecurity level and said other domain being a domain having at least oneprocessing whose security level is lower than a security level ofprocessing executed in said specific domain, a function of causing saidother domain to sense a failure in any said other domain to notify saidspecific domain of a recovery request for the failure of said otherdomain, and a function of causing said specific domain to sense afailure in said other domain through data transmission to said otherdomain by said communication function to make a recovery request forsaid failure to said recovery function.
 34. The program according toclaim 32, wherein further comprising the functions of: a function ofexecuting sensing of a failure through data transmission according towhether a response is made or not from a domain as a destination of saiddata transmission within a predetermined time period or a predeterminednumber of times, a function of causing said specific domain to executebasic processing as said processing whose security level is equal to orhigher than a fixed security level, and a function of, when said failuresensing function senses a failure by said specific domain through datatransmission to said other domain, setting a time period shorter thansaid predetermined time period or setting a number of times less thansaid predetermined number of times.
 35. The program according to claim31, wherein further comprising the functions of: with said specificdomain being a domain executing processing whose security level is equalto or higher than a fixed security level and said other domain being adomain having at least one processing whose security level is lower thana security level of processing executed in said specific domain, afunction of causing said other domain to sense a failure in any saidother domain to notify said specific domain of a recovery request for afailure of said other domain, and a function of causing said specificdomain to make a recovery request for said failure to said recoveryfunction.
 36. The program according to claim 31, wherein furthercomprising the functions of: with said specific domain being a domainexecuting processing whose security level is equal to or higher than afixed security level and said other domain being a domain having atleast one processing whose security level is lower than a security levelof processing executed in said specific domain, a function of causingsaid other domain to sense a failure in any said other domain to make arecovery request for said failure to said recovery function withoutthrough said specific domain, and a function of causing said recoveryfunction to execute, for said other domain developing a fault, failurerecovery processing based on a recovery request for said failurenotified by said other domain and a recovery condition set in advancefor each said other domain.
 37. The program according to claim 30,wherein further comprising the functions of: with said recoverycondition being defined based on a security level set for eachprocessing contents indicated in a failure recovery request from saiddomain, a function of causing said recovery function to execute, for adomain developing a fault, failure recovery processing based on afailure recovery request notified by said domain and said recoverycondition.
 38. The program according to claim 35, wherein furthercomprising the functions of: with said other domains being structuredseparately according to processing contents to be executed, as a firstdomain having at least one processing whose security level is lower thana security level of processing executed by said specific domain and asecond domain having at least one processing whose security level islower than a security level of processing executed by said first domain,a function of causing said first domain to sense a failure in saidsecond domain through data transmission to said second domain by saidcommunication function to notify said specific domain of a recoveryrequest for the failure of said second domain, and a function of causingsaid specific domain to make a recovery request for said failure to saidrecovery function.
 39. The program according to claim 36, whereinfurther comprising the functions of: with said other domains beingstructured separately according to processing contents to be executed,as a first domain having at least one processing whose security level islower than a security level of processing executed by said specificdomain and a second domain having at least one processing whose securitylevel is lower than a security level of processing executed by saidfirst domain, a function of causing said first domain to sense a failurein said second domain through data transmission to said second domain bysaid communication function to notify said recovery function of arecovery request for the failure of said second domain without throughsaid specific domain, and a function of causing said recovery functionto execute, for said second domain developing a fault, failure recoveryprocessing based on a recovery request of said failure notified by saidfirst domain and a recovery condition set in advance for each said otherdomain.
 40. The program according to claim 33, wherein furthercomprising the functions of: with said other domains being structuredseparately according to processing contents to be executed, as a firstdomain having at least one processing whose security level is lower thana security level of processing executed by said specific domain and asecond domain having at least one processing whose security level islower than a security level of processing executed by said first domain,a function of causing said second domain to sense a failure in saidfirst domain through data transmission to said first domain by saidcommunication function to notify said specific domain of a recoveryrequest for the failure of said first domain, and a function of causingsaid specific domain to sense a failure of the first domain through datatransmission to said first domain by said communication function to makea recovery request for said failure to said recovery function.
 41. Theprogram according to claim 36, wherein further comprising the functionsof: with said other domains being structured separately according toprocessing contents to be executed, as a first domain having at leastone processing whose security level is lower than a security level ofprocessing executed by said specific domain and a second domain havingat least one processing whose security level is lower than a securitylevel of processing executed by said first domain, a function of causingsaid second domain to sense a failure in said first domain through datatransmission to said first domain by said communication function tonotify said recovery function of a recovery request for the failure ofsaid first domain without through said specific domain, and a functionof causing said recovery function to sense a failure of the first domainthrough data transmission to said first domain by said communicationfunction to execute, for said first domain developing a fault, failurerecovery processing based on a recovery request of said failure notifiedby said second domain and a recovery condition set in advance for eachsaid other domain.
 42. The program according to claim 40, whereinfurther comprising the functions of: a function of executing sensing ofa failure through data transmission according to whether a response ismade or not from a domain as a destination of said data transmissionwithin a predetermined time period or a predetermined number of times,and a function of, when said failure sensing function senses a failureby said second domain through data transmission to said first domain,setting a time longer than said predetermined time or setting a numberof times larger than said predetermined number of times.
 43. The programaccording to claim 31, wherein further comprising the function of: afunction of causing said recovery function to accept a recovery requestfrom said specific domain unconditionally and refuse a recovery requestfrom said other domain.
 44. The program according to claim 30, whereinfurther comprising the function of: a function of causing said recoveryfunction, upon notification of a failure recovery request from saiddomain, to sense a failure in a domain to be recovered through datatransmission to said domain to be recovered and execute, for said domaindeveloping the failure, failure recovery processing based on saidfailure recovery request and said recovery condition.
 45. The programaccording to claim 30, wherein said recovery function comprises adetermination function of determining whether to allow a failurerecovery request notified by said domain, and wherein further comprisinga function of executing failure recovery processing for a domaindeveloping a fault based on a recovery request allowed by saiddetermination function.
 46. The program according to claim 45, whereinfurther comprising the function of: a function of causing saiddetermination function to determine whether to allow said failurerecovery request based on a failure recovery request notified by saiddomain and a security level set for each processing contents of saiddomain.
 47. The program according to claim 30, wherein said recoveryfunction comprises a determination function of determining whether toallow a failure recovery request notified by said domain, and whereinfurther comprising a function of sensing, based on a recovery requestallowed by said determination function, a failure in said domain to berecovered through data transmission to said domain to be recovered bysaid communication function to execute failure recovery processing forsaid domain developing a fault.
 48. A recovery method of recovering aprocessing function of an information processing device formed of aplurality of processors, comprising: with said plurality of processorsforming a plurality of domains according to processing contents to beexecuted, and with the processors in different domains communicating bya communication step, a recovery step of executing, by a recovery uniton said information processing device, failure recovery processing for adomain developing a fault based on a failure recovery request notifiedby said domain and a recovery condition set in advance for each saiddomain.
 49. The recovery method according to claim 48, wherein with saidplurality of domains being structured separately as a specific domainand other domain according to processing contents to be executed, atsaid recovery step, for a domain developing a fault, failure recoveryprocessing is executed based on a failure recovery request notified bysaid specific domain or said other domain and a recovery condition setin advance for each of said specific domain and said other domain. 50.The recovery method according to claim 48, comprising: with saidspecific domain being a domain which executes processing whose securitylevel is equal to or higher than a fixed security level and said otherdomain being a domain having at least one processing whose securitylevel is lower than a security level of processing executed by saidspecific domain, a sensing step of said specific domain to sense afailure in said other domain through data transmission to said otherdomain by said communication step, and a step of said specific domain tomake a recovery request for said failure sensed at said sensing step tosaid recovery unit.
 51. The recovery method according to claim 48,comprising: with said specific domain being a domain executingprocessing whose security level is equal to or higher than a fixedsecurity level and said other domain being a domain having at least oneprocessing whose security level is lower than a security level ofprocessing executed in said specific domain, a sensing step of saidother domain to sense a failure in any said other domain, a notificationstep of said other domain to notify said specific domain of a recoveryrequest for a failure of said other domain sensed at said sensing step,a sensing step of said specific domain to sense a failure in said otherdomain notified at said notification step through data transmission tosaid other domain by said communication unit, and a step of saidspecific domain to make a recovery request for said failure sensed atsaid sensing step to said recovery unit.
 52. The recovery methodaccording to claim 50, further comprising: a step of executing sensingof a failure through data transmission according to whether a responseis made or not from a domain as a destination of said data transmissionwithin a predetermined time period or a predetermined number of times,wherein said specific domain is a domain executing basic processing asprocessing whose security level is equal to or higher than said fixedsecurity level, and at said step, when sensing a failure through datatransmission by said specific domain to said other domain, a failure issensed by a time shorter than said predetermined time or a number oftimes less than said predetermined number of times.
 53. The recoverymethod according to claim 49, comprising: said specific domain being adomain executing processing whose security level is equal to or higherthan a fixed security level, and said other domain being a domain havingat least one processing whose security level is lower than a securitylevel of processing executed in said specific domain, a sensing step ofsaid other domain to sense a failure in any said other domain, anotification step of said other domain to notify said specific domain ofa recovery request for a failure of said other domain sensed at saidsensing step, and a step of said specific domain to make a recoveryrequest for said failure notified at said notification step to saidrecovery unit.
 54. The recovery method according to claim 49,comprising: said specific domain being a domain executing processingwhose security level is equal to or higher than a fixed security level,and said other domain being a domain having at least one processingwhose security level is lower than a security level of processingexecuted in said specific domain, a sensing step of said other domain tosense a failure in any said other domain, and a step of said otherdomain to make a recovery request for said failure sensed at saidsensing step to said recovery unit without through said specific domain,wherein at said recovery step, failure recovery processing is executedfor said other domain developing a fault based on a recovery request ofsaid failure notified by said other domain and a recovery condition setin advance for each said other domain.
 55. The recovery method accordingto claim 48, wherein said recovery condition is defined based on asecurity level set for each processing contents indicated in a failurerecovery request from said domain, and at said recovery step, for otherdomain developing a fault, failure recovery processing is executed basedon a failure recovery request notified by said domain and said recoverycondition.
 56. The recovery method according to claim 53, comprising:with said other domains being structured separately according toprocessing contents to be executed, as a first domain having at leastone processing whose security level is lower than a security level ofprocessing executed by said specific domain and a second domain havingat least one processing whose security level is lower than a securitylevel of processing executed by said first domain, a sensing step ofsaid first domain to sense a failure in said second domain through datatransmission to said second domain by said communication step, anotification step of said first domain to notify said specific domain ofa recovery request for a failure of said second domain sensed at saidsensing step, and a step of said specific domain to make a recoveryrequest for said failure notified at said notification step to saidrecovery unit.
 57. The recovery method according to claim 54,comprising: with said other domains being structured separatelyaccording to processing contents to be executed, as a first domainhaving at least one processing whose security level is lower than asecurity level of processing executed by said specific domain and asecond domain having at least one processing whose security level islower than a security level of processing executed by said first domain,a sensing step of said first domain to sense a failure in said seconddomain through data transmission to said second domain by saidcommunication step, and a notification step of said specific domain tonotify said recovery unit of a recovery request for a failure of saidsecond domain sensed at said sensing step without through said specificdomain, wherein at said recovery step, failure recovery processing isexecuted for said second domain developing a fault based on a recoveryrequest of said failure notified by said first domain and a recoverycondition set in advance for each said other domain.
 58. The recoverymethod according to claim 51, comprising: with said other domains beingstructured separately according to processing contents to be executed,as a first domain having at least one processing whose security level islower than a security level of processing executed by said specificdomain and a second domain having at least one processing whose securitylevel is lower than a security level of processing executed by saidfirst domain, a sensing step of said second domain to sense a failure insaid first domain through data transmission to said first domain at thecommunication step, a notification step of said second domain to notifysaid specific domain of a recovery request for a failure of said firstdomain sensed at said sensing step, a sensing step of said specificdomain to sense a failure of the first domain notified at saidnotification step through data transmission to said first domain by saidcommunication step, and a step of said specific domain to make arecovery request for said failure sensed at said sensing step to saidrecovery unit.
 59. The recovery method according to claim 54,comprising: with said other domains being structured separatelyaccording to processing contents to be executed, as a first domainhaving at least one processing whose security level is lower than asecurity level of processing executed by said specific domain and asecond domain having at least one processing whose security level islower than a security level of processing executed by said first domain,a sensing step of said second domain to sense a failure in said firstdomain through data transmission to said first domain by saidcommunication step, and a notification step of said second domain tonotify said recovery unit of a recovery request for a failure of saidfirst domain sensed at said sensing step without through said specificdomain, wherein at said recovery step, a failure of the first domain issensed through data transmission to said first domain by saidcommunication step to execute, for said first domain developing a fault,failure recovery processing based on a recovery request of said failurenotified by said second domain and a recovery condition set in advancefor each said other domain.
 60. The recovery method according to claim58, comprising: a step of executing sensing of a failure through datatransmission according to whether a response is made or not from adomain as a destination of said data transmission within a predeterminedtime period or a predetermined number of times, wherein at said step,when sensing a failure by said second domain through data transmissionto said first domain, a failure is sensed in a time longer than saidpredetermined time or by a number of times larger than saidpredetermined number of times.
 61. The recovery method according toclaim 49, wherein at said recovery step, a recovery request from saidspecific domain is accepted unconditionally and a recovery request fromsaid other domain is refused.
 62. The recovery method according to claim48, comprising: a sensing step of said recovery unit, upon notificationof a failure recovery request from said domain, to sense a failure in adomain to be recovered through data transmission to said domain to berecovered by said communication step, wherein at said recovery stepafter sensing at said sensing step, recovery processing of a failure isexecuted for said domain developing the failure based on said failurerecovery request and said recovery condition.
 63. The recovery methodaccording to claim 48, wherein at said recovery step, failure recoveryprocessing is executed for a domain developing a fault based on arecovery request allowed by said determination step of said recoveryunit to determine whether to allow a failure recovery request notifiedfrom said domain.
 64. The recovery method according to claim 63, whereinat said determination step, whether to allow said failure recoveryrequest is determined based on a failure recovery request notified bysaid domain and a security level set for each processing contents ofsaid domain.
 65. The recovery method according to claim 48, wherein atsaid recovery step, based on a recovery request allowed by thedetermination step of said recovery unit to determine whether to allow afailure recovery request notified by said domain, a failure in saiddomain to be recovered is sensed through data transmission to saiddomain to be recovered by said communication step to execute failurerecovery processing for said domain developing a fault.